MS creates security algorithm black list

Microsoft has deemed unsafe a number of security algorithms.

Microsoft has banned its developers from using a number of security algorithms because they deem them to have become unsafe. The company has said its developers should not use DES, MD4, MD5 and, in some cases, the SHA1 encryption algorithm.

The MD4 and MD5 algorithms – part of the message digest algorithm developed at MIT in the early 1990s - are used to encrypt information in Microsoft applications and for digital signatures. DES (Data Encryption Standard) is a longstanding encryption method used in networking protocols.

In their place Microsoft recommended use of the Secure Hash Algorithm 256 (SHA256) encryption algorithm and AES (Advanced Encryption Standard).

Microsoft developers who write any of the proscribed algorithms into software will be alerted by automated code scanning tools and prompted to use more secure methods.

Butler senior research analyst Michael Azoff said users should check that no software in their organisation relies on these forms of encryption.

“Where you are using Microsoft applications with these forms of encryption you will want to update these to more recent, more powerful standards. The first step should be to audit the applications you have that use Microsoft security components. In most cases it is probably a straightforward update that will be covered by a patch, but if you are not certain about the security of software then you should consider not using it until a fix can be found, especially in cases where older software is being linked up to the web,” he said.

Read more on Microsoft Windows software