Minimum Certificate RSA Key Length Windows Update (1024 Bits) October 5th, 2012

Vinod Kumar

sign_red

Microsoft Security Advisory (2661254) – This is the root to all the content available.

PLEASE TEST THE PATCH AND THE IMPACT ON APPLICATIONS BEFORE DEPLOYMENT. THIS UPDATE WILL BE AVAILABLE ON OCT-9th-2012.

What is this update about?

Microsoft is announcing the availability of an update to Windows that restricts the use of certificates with RSA keys less than 1024 bits in length. The private keys used in these certificates can be derived and could allow an attacker to duplicate the certificates and use them fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

Recommendation: Microsoft recommends that customers download the update and assess the impact of blocking certificates with RSA keys less than 1024 bits in length before applying the update to their enterprise.

What OS / Systems/ devices does this update apply to?

Read about the affected software and devices at http://technet.microsoft.com/en-us/security/advisory/2661254. Navigate to the section on Affected Software and Devices.

Where can I download this update from?

The update is available on the Download Center as well as the Microsoft Update Catalog for all supported releases of Microsoft Windows.

Direct Catalog Link.

What could be the potential impact if I do not test this update before deploying in my environment?

It is possible that after the update, some systems will cease to function as before, because their underlying digital certification relies on certificates that do not meet the new requirement, a key length of at least 1024 bits.

Read about known issues here: http://support.microsoft.com/kb/2661254

How do I know if my environment is impacted by this?

There are four main methods for discovering if RSA certificates with keys less than 1024 bits are in use:

  1. Check certificates and certification paths manually
  2. Use CAPI2 logging
  3. Check certificate templates
  4. Enable logging on computers that have the update installed

Read about each of the four methods in detail at this link (Under section Discover RSA certificates with key lengths of less than 1024 bits) http://support.microsoft.com/kb/2661254

What if I find a certificate with a RSA key less than 1024 bits in length?

Customers that identify any certificates that use RSA key lengths less than 1024 bits in their environments:

  1. Will need to request longer certificates from their certification authority.
  2. Customers that manage their own PKI environments will need to create new longer key pairs and issue new certificates from these new keys.

Customers should evaluate using a sufficient key length to match their requirements for data encryption which may exceed the minimum required by this update.

What if I am not ready to deploy this update? What are my options?

1. Enable certificate logging to help identify the usage of RSA keys less than 1024 bits in length

By default, logging is not enabled. Logging can be enabled to help identify the usage of RSA keys less than 1024 bits in length by setting the logging directory in the registry.

Warning – If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config]
" WeakSignatureLogDir"

You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, see Core Group Policy Tools and Settings.

2. Block the update from being deployed through your deployment solution.

Use your current patch deployment solution [System Center Configuration Manager or WSUS or any other.] and disable the automatic deployment of this patch.

Opt-out Setting – You can also make manual changes to the key lengths that are blocked. Read here: http://blogs.technet.com/b/pki/archive/2012/07/13/blocking-rsa-keys-less-than-1024-bits-part-2.aspx

Example – You can modify a registry setting using the certutil command to modify the size of the keys that are blocked. For example, if you wanted to allow 512 bit keys, but block all keys less than 512 bits, you could run the following command:

Certutil -setreg chain\minRSAPubKeyBitLength 512

Note – This approach should not constitute a long term solution, as you will remain exposed to digital certificate weaknesses until you finally renew their certificates with a key size equal or greater than 1024 bits.

Where can I read more about this update?

Below is a chronological listing of the blog postings discussing this upcoming change:

  1. RSA keys under 1024 bits are blocked (2012-06-11)
  2. Certificate Trust List update and the June 2012 bulletins (2012-06-12)
  3. Gadgets, certificate housekeeping and the July 2012 bulletins (2012-07-10)
  4. Microsoft’s continuing work on digital certificates (2012-07-10)
  5. Blocking RSA Keys less than 1024 bits (part 2) (2012-07-13)
  6. Blocking RSA keys less than 1024 bits (part 3) (2012-08-14)

Microsoft released a security advisory, KB article, and software update for all supported versions of Windows that blocks RSA certificates with keys less than 1024 bits. The software update was released to the Download Center.

  1. The security advisory is located at http://technet.microsoft.com/security/advisory/2661254.
  2. The KB article is available at http://support.microsoft.com/kb/2661254.

The update is available now to allow organizations to assess the impact of this update and to reissue certificates with larger key sizes, if necessary, before the update is sent out through Windows Update. The update is planned to be sent out through Windows Update in October 9, 2012.

September ANS and an important heads-up concerning certificates (2012-09-06)

Thought this was important update to pass on. Feel free to spread the news.

Tags: , , , , , , ,

This entry was posted on Friday, October 5th, 2012 at 18:45 and is filed under Technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.


One Response to “Minimum Certificate RSA Key Length Windows Update (1024 Bits)”

Leave a Reply