CASE#07121136 - Hashing Algorithms Audit Query

[anushabesta]

Hi Team,

It is regarding Veeam backup and replication.

One of our clients is going through an audit and auditor requesting to change the hashing algorithm to SHA-2 instead of SHA-1 to meet their standards.

Veeam support engineer mentioned that we cannot change to SHA-2. However, he does not have a reason why it is not possible to change? or if there are any future plans to include SHA-2 in future VBR releases? If yes, when.

Also, the clients' auditors are asking them for a business reason and to justify the use of SHA-1 and SHA-256 in their environment as opposed to available SHA-2 options.

Please advise.

Please refer the support case for more information.

Thanks!

[PetrM]

Hello and Welcome to Veeam R&D Forums!

An option to switch the hashing algorithm to SHA-2 is not implemented in the code, that's why it is not possible to change the currently used algorithm. I'm not ready to share any plans regarding SHA-2 support, the task requires significant engineering resources, at least from the product quality control perspective: if we decide to do it, we'll need to re-test all the usage scenarios that include such operations as certificate thumbprint and HMAC generation (maybe something else), and it takes time.

Anyway, your request is noted and we'll discuss it internally.

Thanks!