SHA-2 Compliance

As part of a security improvement, organizations are transitioning from the SHA-1 hashing algorithm to a SHA-2 (usually SHA-256) hashing algorithm. This change is usually driven by compliance requirements:

NIST SP 800-78 requires that the content of a PIV card (digital certificates, CHUID, biometric information) is signed with the SHA-256 hashing algorithm.
NIST SP 800-131 provides guidance specifying that SHA-2 (SHA-224, SHA-256, SHA-384 or SHA-512) should be used as a hashing algorithm for digital signature generation and verification (SHA-1 remains acceptable for non-digital signature generation operations).

This change has a big impact on many applications. This section describes the impact of these changes on ActivClient and various applications. Support for SHA-2 for other use cases (non-digital signature operations) is not covered in this section.

Card Content Signed with SHA-2

ActivClient supports smart cards whose content (digital certificates, CHUID, biometric information) is signed with a SHA-2 hashing algorithm.

This change might have an impact on some applications, as indicated in the table below.

Note: The table focuses on the ActivClient 7.4.1-supported environments.

This change might have an impact on some applications, as indicated in the table below.

Service	Product and versions	Notes
Windows PKI Logon	Supported Clients – Windows 8.1 latest update, 10, and 11 Supported Servers – Windows Server 2012 R2, 2016, 2019, and 2022
Remote access	Windows & Citrix
Secure web access	Supported browsers – Microsoft Internet Explorer 11, Microsoft Edge Chromium, Firefox (latest version), Google Chrome (latest version). Browsers have limited impact on SHA-2 certificates. Supported server – IIS 7.5 and later, Apache 2.2 and later. Check with your vendor for other web servers
Secure email	Supported applications: Microsoft Outlook 2016 and later, Outlook Web Access (with Exchange 2013 SP1 and later) Mozilla Thunderbird (latest version)	Email signature is configured for SHA-256. See next section for SHA-2 configuration.
Document signing	Supported applications: Office 2016 and later (e.g. Word, Excel) Adobe Acrobat Professional DC and later Windows XPS Viewer	Document signature is configured for SHA-256. See next section for SHA-2 configuration
Document encryption	Supported applications: Windows EFS on Windows BitLocker To Go on Windows

Using SHA-2 for Digital Signature Operations

ActivClient includes several middleware libraries that enable applications to use SHA-2 for digital signature operations:

A Mini Driver, required to support SHA-2 for digital signature operations with the latest Microsoft applications.
A PKCS#11 library v2.2, this latest version is required to support SHA-2.

The fact that ActivClient middleware exposes some SHA-2 services to applications is usually not enough. Applications usually have to be updated as well in order to support SHA-2, as software vendors have started supporting this algorithm very recently. The table below provides information available by HID Global at the time of publication. It is recommended that you check with your software provider for the latest compatibility information.

Note: The table focuses on the ActivClient 7.4.1-supported environments.

Service	Product and versions	Notes
Email signature	Supported applications: Microsoft Outlook 2016 and later with Exchange 2013 SP1 and later Outlook Web Access with Exchange 2013 SP1 and later	Outlook information: Requires Windows 8.1 latest update or 10 or 11. Sender and recipient both need to comply with these Windows, Outlook and Exchange system requirements (otherwise, they cannot read the SHA-256 signed email). You can use an ActivClient policy to configure SHA-2 as the default hashing algorithm. Outlook Web Access information: Requires Windows 8.1 latest update or 10 or 11. Sender and recipient both need to comply with these Windows, Outlook and Exchange system requirements (otherwise, they cannot read the SHA-256 signed email). Exchange requires a specific registry-based configuration. See details at http://technet.microsoft.com/en-us/library/bb738151(EXCHG.80).aspx, set the S/MIME Default Signing Algorithm to SHA 256.
Document signature	Supported applications: Office 2016 and later (e.g. Word, Excel) Adobe Acrobat Professional DC	Office information: Requires a specific policy configuration: Select digital signature hashing algorithm. See http://technet.microsoft.com/en-us/library/cc545900.aspx for details. Acrobat information: Requires a specific policy configuration. See details at http://learn.adobe.com/wiki/download/attachments/52658564/acrobat_reader_security_9x.pdf?version=1 (pages 16 and 124).

Service

Product and versions

Notes

Email signature

Supported applications:

Microsoft Outlook 2016 and later with Exchange 2013 SP1 and later
- Outlook Web Access with Exchange 2013 SP1 and later

Outlook information:

Requires Windows 8.1 latest update or 10 or 11.
Sender and recipient both need to comply with these Windows, Outlook and Exchange system requirements (otherwise, they cannot read the SHA-256 signed email).
You can use an ActivClient policy to configure SHA-2 as the default hashing algorithm.

Outlook Web Access information:

Requires Windows 8.1 latest update or 10 or 11.
Sender and recipient both need to comply with these Windows, Outlook and Exchange system requirements (otherwise, they cannot read the SHA-256 signed email).
Exchange requires a specific registry-based configuration. See details at http://technet.microsoft.com/en-us/library/bb738151(EXCHG.80).aspx, set the S/MIME Default Signing Algorithm to SHA 256.

Document signature

Supported applications:

Office 2016 and later (e.g. Word, Excel)
Adobe Acrobat Professional DC

Office information:

Requires a specific policy configuration: Select digital signature hashing algorithm. See http://technet.microsoft.com/en-us/library/cc545900.aspx for details.

Acrobat information:

Requires a specific policy configuration. See details at http://learn.adobe.com/wiki/download/attachments/52658564/acrobat_reader_security_9x.pdf?version=1 (pages 16 and 124).