Member Article

What is SHA2? Are you ready for it?

What is SHA?

SHA stands for Secure Hashing Algorithm and it basically turns anything written, in this case it will be bank details from the Bacs network, along with sort codes and bank account numbers, and converts them into a totally unique and highly complicated code, so nobody can steal the details while it is transferred.

What does SHA have to do with Bacs?

Bacs (Bank Automated Clearing system) currently uses a SHA1 encryption on all of their data, either going to the Bacs network, or coming from the Bacs network. The security change that you may have heard about is with regards to this. Bacs are changing from SHA1 to SHA2, and though that may sound easy and straight forward, it is not.

How will it affect you?

These systems are used in your everyday computing, it is in all websites that use https:// as a way of encrypting your data to make sure your password can’t be stolen. These are called certificates and are ‘signed’ by the relevant trusted authorities so that you know that you are going onto a trusted and correct website.

However older versions of encryption software can be used to trick newer versions into accepting them. Before SHA1 there was an encryption called MD5 that was far weaker and could be ‘cracked’ to pose as a website that it is not. MD5 was only removed in 2011, despite being viewed as weak for 16 years. Relevant authorities believe the same may happen for SHA1, and this is why there is a push for it now.

Though SHA1 is not viewed as weak as of now, but by the time it needs to be removed it very well could be, just like MD5.

This in itself can mean that some of the software that you are using to send information to and receive information from Bacs can become incompatible. Your Bacs provider WILL need to upgrade their software, which could be very costly.

Why would there need to be a change?

As computers become more powerful, the SHA1 algorithm will become easier to crack. Academics have predicted that computers will be able to crack SHA1 in coming years, thus why there is a move to SHA2 coming soon. This change will not be sudden, and many web browsers and suppliers have already changed to this system. The official date for the end of SHA1 is the 1st January 2017, therefore everything using SHA1 needs to change by then.

Bacs of course won’t be using SHA1 till that point, and they are changing it over, but have yet to release the date at which they will do it.

What should I look out for?

Things you need to look out for are browsers becoming outdated with this SHA1 encryption. Whilst the Bacs network is highly secure, the browser may not be, so keep it updated.

As for your Bacs supplier, whether it is a Bureau or Software supplier, you need to watch out to make sure they do not charge you for the upcoming changes. Suppliers such as Unified Software do not charge for any updates or upgrades to the system. Ever.

This was posted in Bdaily's Members' News section by Andrew Jenkins .