Microsoft to revoke certificates with fewer than 1024 bits

News by Dan Raywood

Microsoft is to only accept certificates with a minimum of 1024 bits.

Microsoft is to only accept certificates with a minimum of 1024 bits.

After it initially stated that it would revoke certificates with fewer than 2048 bits last month, it has now said that certificates with RSA keys less than 1024 bits in length will be blocked instead.

Microsoft has released nine critical and four important bulletins this month. Yunsun Wee, spokesperson at Microsoft Trustworthy Computing, said: “This update will be available in the Download Center as well as the Microsoft Update Catalog. This allows enterprise administrators to download and import the update into WSUS for testing before widely deploying the update throughout their enterprise.”

Wee said that this update is planned to be released via the Windows Update in October 2012.

Paul Henry, security and forensic analyst at Lumension, said that once this patch is applied, users will not be able to communicate with a product that uses 256-bit encryption and encouraged vendors to act upon this now if they want their product to continue to work in upcoming months.

He said: “When you apply this month's update from Microsoft, it will invalidate all of those less than 1024-bit certificates and it will effectively break your communication encryption.

“This will impact any new product sales that include encryption and just as importantly, perhaps any previously sold products overseas because the vendor may have to apply for an export permit before they can ship a solution with a higher level of encryption for use with a patched Microsoft product.”

Henry also suggested that this could create serious problems with computers using client server communications with these certificates, as well as having USA export permit ramifications for US firms that sell encryption products to clients outside of the US.

“Previously, in order to export a product, you had to use less than 256-bit encryption or apply for an export permit. Rather than going through the paperwork and time involved in getting an export permit, many chose to go with 256-bit encryption,” he said.

“Download the update and see if it breaks your encryption. If it does, you can do an uninstall or downgrade within the registry.”

Microsoft issued the change after it was revealed that Flame had an ability to create rogue certificates that appeared to be from the software giant. Mike Reavey, senior director of MSRC at Microsoft Trustworthy Computing, said that its Terminal Server Licensing Service, which allowed customers to authorise remote desktop services in their enterprise, used an older cryptography algorithm that could be exploited and then used to sign code.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews