DEA Office of Diversion Control CSOS Pilot Program DEA Office of Diversion Control CSOS Pilot Program

Drug Enforcement Administration (DEA)
Office of Diversion Control
Controlled Substance Ordering System (CSOS)

FAQ: Secure Hashing Algorithm (SHA) Transition


The Drug Enforcement Administrationís (DEA) Controlled Substance Ordering System (CSOS) subscribersí digital certificates are being upgraded to the SHA-256 secure hashing algorithm. This upgrade will affect all systems and applications utilizing DEA CSOS certificates and may require system upgrades for SHA-256 compatibility. Software and hardware support and guidance will be provided by your software vendor.


SHA-1, developed by the National Security Agency (NSA), is a cryptographic hashing function that is used to transform a string of characters (data) into a fixed length value (or hash value) that represents the original string. An important application of this cryptographic hash function is message integrity where any change to the original data will change the hash value.

In 2005, the National Institute of Standards and Technology (NIST) discovered a weakness in SHA-1 and as a result, NIST decided that Federal agencies should stop using SHA-1 after 2010 and consider it deprecated for use in digital signatures through December 2013. NIST has instructed agencies to transition to a stronger secure hash algorithm, SHA-256.

What is the impact to CSOS?

The Controlled Substance Ordering System (CSOS) currently issues public key infrastructure (PKI) certificates that are signed digitally using a secure hash algorithm (SHA-1) to prevent tampering. As a result of discovered weaknesses with SHA-1, CSOS will be transitioning away from SHA-1 and begin using SHA-256 for signing digital certificates.

What are the Transition Timelines?

CSOS plans to be able to transition to SHA-256 prior to December 31, 2013 which is the deadline for generating digital signatures using SHA-1. Specific CSOS dates will be announced when available.

What References are available describing SHA-256?

         For SHA-1 transition dates and information on other algorithms that NIST is phasing out, see:

NIST Special Publication 800-131A, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths.

         DEA CSOS Pilot Program Web Site contains information about the SHA-256 upgrade:

         Microsoft Knowledgebase Article that contains Hotfix information needed for Windows Server 2003 and Windows XP operating systems in order to download SHA-256 signed certificates::

         Microsoft Windows PKI Blog contains information about the functionality of SHA-256 when running Windows Server 2003 or Windows XP:

Most Common Compatibility Issues

Please refer to Appendix A: Software Products SHA-2 Support for a more complete list of SHA-256 compatible applications.

         Applications that sit on Windows XP (WinXP) Service Packs 1 and 2, along with Windows Server 2003 Service Packs 1 and 2, will need to be modified to use SHA-256. A Microsoft Hotfix for SHA-256 compatibility is described in Microsoft Knowledgebase Article (KB 968730)[1].

How Does This Affect Current CSOS Users?

Current CSOS users will remain unaffected until the Transition occurs.

Upon transition, CSOS users experiencing issues should first contact their software vendor or supplier

What are the Next Steps for Software Vendors?

         Vendors can go to the DEA Pilot Program Web Site:

         Vendors can download the new 2011 Test Suite (SHA-2-Hashing Algorithm) for testing and compatibility with software / hardware:

Who Do I Contact for Additional Information?

E-mail (Online Support Request Form ( Users navigate to Online Support Request Form and can email questions.

Users navigate to Online Support Request Form and can email questions.






Appendix A: Software Products SHA-2 Support



††††††††††††††††††††††††††††††††††††† MANUFACTURER




Microsoft products use the Microsoft Cryptography Application Programming Interface (MS CAPI) to process hash CAPI) to processes hash algorithms.



Some non-Microsoft products provide their own cryptographic algorithms.

         Windows 7, Windows Vista, and Server 2008 support SHA-256.

         Windows XP Service Pack 3 and Windows Server 2003 Service Pack 2 (with a hotfix [2] ) can process and validate SHA-256, but cannot create a new SHA-256 signature.  As a workaround, a SHA-1 signature can be used to sign documents, e-mails, etc, if use of the algorithm is supported by risk assessment.

         Older versions of Microsoft operating systems do not support SHA-256.

Contact Vendor or Software for SHA-256 compatbility.


[1] Microsoft Knowledgebase Article:

[2] Hotfix for Windows Server 2003 and Windows XP:

Return to previous screen