Supported hash algorithms in MSMQ
Here's some data I had to pull together today about authentication (message signing) and thought may be worth sharing.
When signing an outgoing message, MSMQ can use a number of algorithms depending on the version.
Algorithm Available in Default for MAC all versions - MD2 all versions - MD4 all versions - MD5 all versions MSMQ 1.0 – 3.0 SHA-1 MSMQ 2.0 (Windows 2000 Service Pack 4) and above MSMQ 4.0 SHA-2 MSMQ 4.0 and above MSMQ 5.0
There is also a limitation if you are sending messages to HTTP/HTTPS or multicast addresses (MSMQ 3.0 and above) when only MD5/SHA-1 are available and SHA-1 is the default.
Although all the algorithms are still currently supported, the older ones are regarded as too weak and have been disabled in MSMQ 4.0 (MAC, MD2, MD4, MD5) and MSMQ 5.0 (SHA-1). These can be reinstated using the WeakHashAlgorithms registry key.
Here’re some definitions of the algorithms from the MSDN Security Glossary and Wikipedia:
Algorithm MAC “Message Authentication Code” MD2 MD4 MD5 “Message Digest” Hashing algorithms that create a 128-bit hash value. MD2 was optimized for use with 8-bit computers and MD4/MD5 for 32-bit computers. Developed by RSA Data Security, Inc. SHA-1 SHA-2 “Secure Hash Algorithm” Hashing algorithms that generate a message digest. SHA is used with the Digital Signature Algorithm (DSA) in the Digital Signature Standard (DSS), among other places. Developed by the National Institute of Standards and Technology (NIST) and by the National Security Agency (NSA). SHA-1 generates a 160-bit message digest. NIST published four additional hash functions in the SHA family, named after their digest lengths (in bits): SHA-224, SHA-256, SHA-384, and SHA-512. These algorithms are collectively known as SHA-2. SHA-256 and SHA-512 are computed with 32- and 64-bit words, respectively. SHA-224 and SHA-384 are simply truncated versions of the first two.
MSMQ 4.0
Authentication
Message Queuing 4.0 supports Secure Hash Algorithm version 1.0 (SHA1) and all advanced hash algorithms that are supported in this version of Windows. The default is SHA1. Support for algorithms such as Message Digest version 2 (MD2), MD4, MD5, and Message Authentication Code (MAC) have been disabled by default in Message Queuing 4.0 because these algorithms are considered less secure.
MSMQ 5.0
What's New in Message Queuing 5.0
More Secure Authentication Algorithm
Message Queuing 5.0 supports Secure Hash Algorithm 2.0 (SHA2) and all advanced hash algorithms that are supported in this version of Windows. The default is SHA-2 with 512 bit digest length. Support for algorithms such as SHA1, Message Digest version 2 (MD2), MD4, MD5, and Message Authentication Code (MAC) have been disabled by default in Message Queuing 5.0 because these algorithms are considered less secure.
References
- MSMQ product group blog (Motley Queüe) - “Authentication and MSMQ4”
- MSDN Security Glossary
- MSDN documentation for PROPID_M_HASH_ALG
- Wikipedia – SHA hash functions