0

Microsoft first started warning people that the there was going to be an important change to Windows' certificate requirements back in June. A change that is designed to improve security across the Windows platform by way of increasing the RSA key length to a minimum of 1024 bits for certificates used in Public Key Infrastructure (PKI). That requirement change happens today, October 9th, but are you one of those people who, as Angela Gunn from Microsoft Security Response Center puts it, has "systems and applications that have been tucked away to collect dust and cobwebs because they 'still work' and have not had any cause for review for some time"?

If so, your time has come and those certificates will need to be reissued with at least a 1024-bit key from today in order to comply with Microsoft's requirements. Truth be told, you should actually be looking to at least double that to 2048 bits in order to meet security best practise minimums. Indeed, the National Institute of Standards and Technology (NIST) depreciated keys of 1024 bits or less way back in January 2011.

According to Microsoft, Security Advisory 2661254 (Update For Minimum Certificate Key Length) "impacts applications and services that use RSA keys for cryptography and call into the CertGetCertificateChain function. These applications and services will no longer trust certificates with RSA keys less than 1024 bits in length. Examples of impacted applications and services include but are not limited to encrypted email, SSL/TLS encryption channels, signed applications, and private PKI environments. Certificates that use cryptographic algorithms other than RSA are not affected by this update."

Certainly if your business is reliant upon Microsoft Windows operating systems then it should take immediate action to find and replace all digital certificates signed with RSA encryption keys that are less than 1024 bits in length. Security vendor Venafi warns that failure to do so leaves them at a high risk of falling victim to a certificate-based malware attack and facing business disruptions including everything from Internet Explorer failures to inability to encrypt or digitally sign emails on Outlook 2010 and other legacy systems that rely on the older, weaker encryption keys.

Obviously, hardening defences against weak encryption attacks is a good thing. However, the Microsoft approach of addressing the security problem of weak crypto keys through software updates doesn't address weak keys and certificates which are deployed outside of the Microsoft CAPI environment. "Enterprises that want to address security risks driven by weak cryptographic keys deployed across their networks will need to utilize technologies outside of Microsoft updates to identify, revoke and replace these keys and certificates" Venafi warns, noting "Microsoft's efforts will not simply affect the certificate stores but any application that uses CAPI certificate processing -- no matter where the certificate is."

Edited by happygeek: unstuck

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

3
Contributors
2
Replies
8
Views
5 Years
Discussion Span
Last Post by LastMitch
0

Obviously, hardening defences against weak encryption attacks is a good thing. However, the Microsoft approach of addressing the security problem of weak crypto keys through software updates doesn't address weak keys and certificates which are deployed outside of the Microsoft CAPI environment. "Enterprises that want to address security risks driven by weak cryptographic keys deployed across their networks will need to utilize technologies outside of Microsoft updates to identify, revoke and replace these keys and certificates" Venafi warns, noting "Microsoft's efforts will not simply affect the certificate stores but any application that uses CAPI certificate processing -- no matter where the certificate is."

I think most company still rely on Microsoft OS System/Server. So it is not a good thing if encryption key expired. More headache for Network Tech to figure out how to approached something like this.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.