none
Does Microsoft Certificate Store (MCS) support SHA 2 (256)?

    שאלה

  • Hi there, I have a question. I have an older commercial application (IBM DOORS) that we use that we are trying to convert to use smart card authentication. DOORS can be configured to use MCS for authentication. But, the IBM support site indicates that MCS does not support SHA 2 (512). It does not say anything about SHA 2 (256). I've been searching online, but have been unable to find much information on MCS and what encryption it supports.

    Does anyone know if MCS supports SHA 2 (256)?

    Full disclosure: I am not an IT professional, so please bear with me.

    Thanks in advance for your help!

    Mike

    יום חמישי 12 יולי 2018 10:37

כל התגובות

  • I can't speak to IBM DOORS, but when you refer to Microsoft Certificate Store, are you referring to the Certification Authority service offered by Microsoft called Active Directory Certificate Services? It is the service capable of issuing certificates to an environment. In that case, Microsoft ADCS can issuing both SHA1 and SHA2 (256, 384, 512) signed certificates to devices and users.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    יום חמישי 12 יולי 2018 16:18
  • I'm honestly not sure. The IBM site says:

    "You can configure IBM® Rational® DOORS® so that users can log on by using Microsoft Certificate Store (MCS) authentication."

    and then right after it says

    "Rational DOORS supports certificates that are stored in MCS Store and not in the newer Microsoft Cryptography Next Generation (MCSNG) store. Certificates using SHA2 (512) are not compatible with MCS and therefore you cannot use them with Rational DOORS."

    The IBM link is here: https://www.ibm.com/support/knowledgecenter/SSYQBZ_9.6.1/com.ibm.doors.configuring.doc/topics/c_configmcs.html

    I assume that MCS is an older Microsoft thing that has been replaced, but I'm not sure. Any help is greatly appreciated!

    Mike

    יום חמישי 12 יולי 2018 18:32
  • Wow, IBM is really making up their own terms. I believe if you change "MCS Store" to "Microsoft Cryptographic Service Provider (CSP)" and "Microsoft Cryptography Next Generation store" to "Microsoft Key Storage Provider (KSP)" it makes more sense. CSPs are older providers that only support SHA1. KSPs were introduced with server 2008 and provide support for Suite-B algorithms that include SHA2 (256,384,512).

    So what they are trying to say is Rational DOORS only supports SHA1 based CSP certificates/keys. 

    If you need to use SHA256, then you would have to be using a KSP and that does not appear to be supported by IBM DOORS.


    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    יום חמישי 12 יולי 2018 18:55
  • Thanks for clarifying that. A question: I do find it odd that they seemed to specifically call out (512). Is it possible for something to support SHA2 256 but not SHA2 512?

    Mike

    יום שישי 13 יולי 2018 09:57
  • Anything is possible. If they had not been so specific about saying CNG (KSP) was unsupported, then I would have interpreted them as saying only SH512 was unsupported. But since they specifically called out CNG based certificates and only support CSP, that leads me to believe they only support SHA1 as that is all CSPs can support.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    יום שישי 13 יולי 2018 14:16