Netskope Global Technical Success (GTS)

Why Netskope Does Not Support File Hash - SHA-1

Netskope Cloud Version - 126

Objective

Highlight the technical reasons why Netskope does not support File hash - SHA-1

Prerequisite

SWG or Next-Gen SWG license

Context

Customers can use Netskope’s File Profile configuration to allow or block files based on their hash values. Currently, the product supports MD5 and SHA-256 hashes. This document aims to explain why SHA-1 hash is not supported.

Do You Know?

• With the current Netskope product design only MD5 and SHA-256 hashes are supported 

Path: Netskope Tenant UI >>> Policies >>> Profile - - - File Profile >>> Add File Profile

Details

• SHA-1?

SHA-1 (Secure Hash Algorithm 1) is a hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest – typically rendered as 40 hexadecimal digits.

• SHA-1 is Cryptographically Broken

a. SHA-1 is no longer secure.

b. Since 2005, researchers have shown that SHA-1 is vulnerable to collision attacks.

c. In 2017, Google publicly demonstrated a practical SHA-1 collision (SHAttered attack).

d. This means attackers can create two different files with the same SHA-1 hash, making it unreliable for identification and blocking.

• Using SHA-1 Can Lead to False Negatives/Positives

a. Collision risk means two distinct files could have the same SHA-1 hash.

b. A security system using SHA-1 for blocking could fail to block malicious content.

c. Or worse, it could accidentally block a benign file that shares the same SHA-1 hash.

• SHA-256

SHA 256 contains a 256-bit hash length instead of SHA-1’s 160-bit, making it less susceptible to brute-force attacks. SHA-1 has known vulnerabilities that make it less secure than SHA 256.

Recommendations

To configure File Profile policies for Allow or Block actions, follow these guidelines:

• Generate MD5 or SHA-256 hash for the files you want to Allow or Block.
• You can use trusted tools — including various online hash generators or local utilities (e.g., sha256sum on Linux, Get-FileHash on Windows) — to calculate the SHA-256 hash of a specific file.
• While SHA-256 and MD5 are both commonly used, SHA-256 is the recommended and more secure option due to its stronger cryptographic properties.

Author Notes

• Please note that the lack of SHA-1 support in Netskope File Profiles is not due to a product limitation, but rather a deliberate security decision.
• SHA-1 is no longer considered secure due to its vulnerability to collision attacks. In such attacks, a malicious actor can generate two different files with the same SHA-1 hash, potentially allowing them to bypass security controls by substituting a malicious file for a legitimate one.
• For this reason, Netskope does not support SHA-1 in File Profile policies, in alignment with industry best practices and modern security standards.
• Instead, SHA-256 is fully supported and strongly recommended for all file-based policy enforcement.

Terms and Conditions

• All documented information undergoes testing and verification to ensure accuracy.
• In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes

• This article is authored by Netskope Global Technical Success (GTS).
• For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.