Microsoft Will Block Encryption Keys Under 1024-Bit in August Update

An important update from Microsoft due out in August could break some things for businesses who aren’t prepared. The update will block anything using a cryptographic key that is less than 1024 bits.

Here are some issues that could affect those who haven’t prepared: 

  • Receiving error messages when browsing to websites that have SSL certificates with keys that are less than 1024 bits
  • Problems enrolling for certificates when a certificate request attempts to utilize a key that is less than 1024 bits
  • Problems creating or consuming email (S/MIME) messages that utilize less than 1024 bit keys for signatures or encryption
  • Problems installing Active X controls that were signed with less than 1024 bit signatures
  • Problems installing applications that were signed with less than 1024 bit signatures (unless they were signed prior to January 1, 2010, which by default will not be blocked).

If your systems are kept up to date, and you’ve been following safe security practices, chances are this MS update won’t change a thing for you. However, businesses who have a large array of systems and server software, some of which date from several years ago, may have some older certificates that no longer meet the new requirements.

To find out if this is your case, and to learn of available assistance, read the complete article at the link below.

For The Curious:  A Brief Background on Encryption

The security of encryption is often measured in how long it would take to break that encryption, or more practically, in key lengths. The genius behind modern encryption is in the fact that some math functions are very fast in one direction, but extremely slow in the reverse. So, by using a key to produce a cipher block from the data you wish to encrypt, you can get the result in a very fast time frame. But in order to figure out the key, or to break that encryption, it would take you a long time.

All encryption can be broken, but we say it’s secure because of how long it would take to break it. This depends on how much processing power you have, and how long the key is. For example, if you were to implement an encryption system that used a 20-bit key, it would be horribly insecure, because breaking that encryption would take seconds for a modern computer. However, if the key length is 1024 bits, then those seconds would instead become several billion years.

Several years ago, most certificates were issued using 512-bit key lengths. With the computers then, brute-forcing or breaking a private key was not considered feasible because it would take a ridiculously long time. Today, most security experts consider that length too short, because of faster processor power, GPU arrays being used to crack passwords, and so on. As cyberattack vectors evolve, so must security, and modern certificates are now issued with a minimum of 1024 bits.

Many businesses and corporations make their own certificates for a variety of purposes, from signing emails, to encrypting corporate websites, or even for their own internal login systems. Up until now, Microsoft products, such as Windows Server 2003 or 2008, allowed you to create certificates with a short key length. However, after the August update that will no longer be possible.

Complete, original article posted at Tech Republic Security.

Tags: , ,

Leave a Reply

You must be logged in to post a comment.