In the wake of Flame, the malware attackers used to spy on networks in Iran earlier this year, Microsoft has decided to upgrade its level of cryptographic key encryption and will support only systems using a minimum of 1024-bit keys. This change, which was applied on 15 August 2012, will materially impact organisations from today as they roll out the latest Microsoft patches.
What will this mean to your organisation? Quite simply, your older, legacy systems that rely on weak or too-short encryption keys won’t work. Calum Macleod, IT security expert at Venafi, the enterprise key and certificate management company, says: “This could spell disaster for many companies as their IT departments or their customers try to access legacy Microsoft applications or systems that rely on keys weaker than 1024 bits. Your systems could just come to a grinding halt.”
The Windows update affects Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 operating systems. Macleod suggests that to avoid system failures, you should assess which operating systems are currently running applications that rely on certificates with weaker keys, and replace these certificates with ones that rely on 1024-bit or stronger keys.
There are solutions for finding and automatically replacing at-risk certificates that use short keys or weak encryption algorithms. Among them is Venafi Assessor, a risk assessment capability made by Venafi, which contributed to the latest National Institute for Standards and Technology (NIST) Information Technology Laboratory (ITL) bulletin on certificate authority compromise and fraudulent certificates.
NIST currently recommends a Dec. 31, 2013 deadline for replacing 1024-bit with stronger RSA and DSA encryption. According to "Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths," a 2011 special publication, "...since such keys are more and more likely to be broken as the 2013 date approaches, the data owner must understand and accept the risk of continuing to use these keys to generate digital signatures."