can someone tell why Outlook client S/MIME settings use SHA1 as the default Hash Algorithm?
Doesn't that put the certificate private key to a risk when weak algorithm is used? Or am I misunderstanding the signing process?
Thanks, -Harri
Doesn't that put the certificate private key to a risk when weak algorithm is used?
No. The private key is not hashed and never published that way – instead the message data is hashed and that hash gets signed with the private key.
But even if the private key were actually hashed and the hash published, the key is still long enough that it remains impossible to guess it from the SHA1 hash.
The main weakness of SHA1 and MD5 is about creating identical hashes from different data – not about recovering the original data from a hash (which, as far as I've read, is still only doable through brute force).
So the risk here is that someone could take your signed message, then create their own specially formatted message that has different text yet still matches the old signature (because the message data hashes to the same value).
why Outlook client S/MIME settings use SHA1 as the default Hash Algorithm?
I'm only guessing, but most likely it's just in case your recipients might still be using clients which do not support validating SHA256-based signatures. It used to default to 3DES encryption for the same reason.
(PGP keys usually indicate what algorithms are supported by the key owner's software, but that's much less common for S/MIME, as the S/MIME certificate is usually issued without knowing what mail client it'll be used with.)
You may set the default hash algorithm in Outlook in:
File > Options > Trust Center > Trust Center Settings > E-Mail Security > Settings > Hash Algorithm.
If it has only SHA1 on the list of available algorithms, this means that the certificate only supports SHA1. Check with your Provider to see if the certificate given to you also supports other hash algorithms (SHA512, SHA384, SHA256).
You might try setting others as Default Hash Algorithm via group policy.
Reference link:https://getadmx.com/?Category=Symantec-PKI-Client&Policy=Com.Symantec.PKIClient.Policies.PolicySettings::OutlookProfileConfiguration