Microsoft to reject certificates with fewer than 1024 bits

News by Dan Raywood

Microsoft will reject all certificates with fewer than 1024 bits as of Tuesday 9th October 2012.

Microsoft will reject all certificates with fewer than 1024 bits as of Tuesday 9th October 2012.

Following the announcement that it would revoke certificates with fewer than 2048 bits, Microsoft said that certificates with RSA keys less than 1024 bits in length will be blocked. Microsoft has recommended that people using RSA keys should choose a key length of at least 1024 bits after it spotted a number of digital certificates that did not meet its standard for security practices.

“Though we have no indication that those had been compromised or misused in any fashion, as a precautionary measure we've revoked them. A subset of those was in addition found to have code signing permissions, which has earned them a place in the Untrusted Certificate Store,” said Microsoft Trustworthy Computing spokesperson Yunsun Wee.

Paul Henry, security and forensic analyst for Lumension, said: “The biggest issue for this month from Microsoft is the certificate encryption. As we've been saying for the last several Patch Tuesdays, Microsoft is pushing out a patch that will break any encryption that is less than 1024-bit.

“This patch has been optional since August and we hope you've taken the time to test it and patch it. It will no longer be an option starting on Tuesday. There are still a few days left if you haven't tested it, but don't let this be an ‘I told you so' moment.”

Henry previously said that once this patch is applied, users will not be able to communicate with a product that uses 256-bit encryption, saying that this will impact any new product sales that include encryption and just as importantly, perhaps any previously sold products overseas and could create serious problems with computers using client server communications with these certificates.

He said: “Previously, in order to export a product, you had to use less than 256-bit encryption or apply for an export permit. Rather than going through the paperwork and time involved in getting an export permit, many chose to go with 256-bit encryption.”

If not replaced by this deadline, the risk of certificate-based malware attacks will remain high and disruptions to business and computing operations could include everything from Internet Explorer failures to inability to encrypt or digitally sign emails on Outlook 2010 and other legacy systems that rely on the older, weaker encryption keys.

The issue began with Flame's ability to create certificates that allow software to appear as if it was produced by Microsoft. According to key and certificate management vendor Venafi, Microsoft has advised its customers to take this step to harden security against known vulnerabilities and attack vectors in order to prevent business and operational disruptions.

Carl Leonard, senior security research manager, EMEA at Websense, told SC Magazine that Microsoft has given notice to people about the change, but it was difficult to make changes on technologies that may be used more frequently.

He said: “Microsoft have provided quite a few details to verify the capability of certificates in the browser, but it has been up to IT departments within businesses top realise this is happening and do an assessment on what to do.

“The good thing is that Microsoft are making a concerted effort to help people evaluate their security, as companies need to do this to help people and how it is securing individual servers and websites. It is also about how to digitally sign certificates or about how Outlook communicates with the Exchange server.”

Leonard said that businesses should not be using 256 or 512 bit anyway, and should have thought about upgrading previously, and said it was good that Microsoft helping everyone understand better security, and that people should be using 2048 bit certificates anyway.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews