With all the fuss about SHA1 being deprecated when being used for SSL certificates, does this also apply to IPSEC VPN’s?
I have a couple site to sites using either 3DES-SHA1 or AES256-SHA1 for encryption and wondering if it’s time to upgrade.
I would be more concerned about 3DES I think.
http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html < A good generalized guideline.
I’d still look into migrating away from SHA1 over the next year or so, but I wouldn’t put it at an absolute priority unless required to for compliance reasons or business reasons.
The computing power required to crack sha1 is theoretically within range. But, still very expensive. For the past few years there has been talk that it would be possible to cause a collission and crack the key, but only in October(?) has anyone been able to do that. I think it’s estimated to cost about 6 figures to crack a key in terms of just the computing power required, but of course as time progresses it will become cheaper and more attainable.
The warnings in browsers primarily relate to the fact that no certificate authority is supposed to be issuing these anymore at this point, and I think it’s 1/1/17 where there aren’t supposed to have been any still valid.
In all probability your VPN is fine for awhile if you’re 100% sure it’s your certificate in use.
I’m dealing w/ this now (as well as switches to TLS) though because vendors are switching away for it citing PCI Compliance requirements, but as far as I know that’s not a hard and fast requirement either, haven’t been able to find that really…
3DES is already being phased out because it’s so ungodly slow compared to AES (or anything, really).