Drug Enforcement Administration (DEA)
Office of Diversion Control
Controlled Substance Ordering System (CSOS)
FAQ: Secure Hashing Algorithm (SHA) Transition
The Drug Enforcement Administrationís (DEA) Controlled Substance Ordering System (CSOS) subscribersí digital certificates are being upgraded to the SHA-256 secure hashing algorithm. This upgrade will affect all systems and applications utilizing DEA CSOS certificates and may require system upgrades for SHA-256 compatibility. Software and hardware support and guidance will be provided by your software vendor.
SHA-1, developed by the National Security Agency (NSA), is a cryptographic hashing function that is used to transform a string of characters (data) into a fixed length value (or hash value) that represents the original string. An important application of this cryptographic hash function is message integrity where any change to the original data will change the hash value.
In 2005, the National Institute of Standards and Technology (NIST) discovered a weakness in SHA-1 and as a result, NIST decided that Federal agencies should stop using SHA-1 after 2010 and consider it deprecated for use in digital signatures through December 2013. NIST has instructed agencies to transition to a stronger secure hash algorithm, SHA-256.
What is the impact to CSOS?
The Controlled Substance Ordering System (CSOS) currently issues public key infrastructure (PKI) certificates that are signed digitally using a secure hash algorithm (SHA-1) to prevent tampering. As a result of discovered weaknesses with SHA-1, CSOS will be transitioning away from SHA-1 and begin using SHA-256 for signing digital certificates.
What are the Transition Timelines?
CSOS plans to be able to transition to SHA-256 prior to December 31, 2013 which is the deadline for generating digital signatures using SHA-1. Specific CSOS dates will be announced when available.
What References are available describing SHA-256?
SHA-1 transition dates and information on other algorithms that NIST is phasing
Special Publication 800-131A, Transitions: Recommendation for Transitioning the
Use of Cryptographic Algorithms and Key Lengths.
DEA CSOS Pilot Program Web Site contains information about the SHA-256 upgrade:
Microsoft Knowledgebase Article that contains Hotfix
information needed for Windows Server 2003 and Windows XP operating systems in
order to download SHA-256 signed certificates::
Windows PKI Blog contains information about the functionality of SHA-256 when
running Windows Server 2003 or Windows XP:
Most Common Compatibility Issues
Please refer to Appendix A: Software Products SHA-2 Support for a more complete list of SHA-256 compatible applications.
Applications that sit on Windows XP (WinXP) Service Packs 1 and 2, along with Windows Server 2003 Service Packs 1 and 2, will need to be modified to use SHA-256. A Microsoft Hotfix for SHA-256 compatibility is described in Microsoft Knowledgebase Article (KB 968730).
How Does This Affect Current CSOS Users?
Current CSOS users will remain unaffected until the Transition occurs.
Upon transition, CSOS users experiencing issues should first contact their software vendor or supplier
What are the Next Steps for Software Vendors?
Vendors can go to the DEA Pilot Program Web Site: http://diversiontest.usdoj.gov/developer.html
Vendors can download the new 2011 Test Suite (SHA-2-Hashing Algorithm) for testing and compatibility with software / hardware: http://diversiontest.usdoj.gov/testsuite/SHA2PilotSuite2011.zip
Who Do I Contact for Additional Information?
E-mail (Online Support Request Form ( http://diversiontest.usdoj.gov/support.html) Users navigate to Online Support Request Form and can email questions.
Users navigate to Online Support Request
Form and can email questions.
Appendix A: †Software Products SHA-2 Support
Microsoft products use the Microsoft
Cryptography Application Programming Interface (MS CAPI) to process hash
algorithms.se CAPI) to processes hash algorithms.
Some non-Microsoft products provide
their own cryptographic algorithms.
Windows 7, Windows Vista, and Server 2008 support
Windows XP Service Pack 3 and Windows Server 2003
Service Pack 2 (with a hotfix  )
can process and validate SHA-256, but cannot create a new SHA-256
signature. As a workaround, a SHA-1 signature can be used to sign
documents, e-mails, etc, if use of the algorithm is supported by risk
Older versions of Microsoft operating systems do
not support SHA-256.
Contact Vendor or Software for SHA-256