Skip Links

In face of Flame malware, Microsoft will revamp Windows encryption keys

Microsoft security change could cause problems for legacy systems, applications accessing Web sites and email platforms

By , Network World
July 11, 2012 04:38 PM ET

Network World - Starting next month, updated Windows operating systems will reject encryption keys smaller than 1024 bits, which could cause problems for customer applications accessing Web sites and email platforms that use the keys.

The cryptographic policy change is part of Microsoft's response to security weaknesses that came to light after Windows Update became an unwitting party to Flame Malware attacks, and affects Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 operating systems, according to the Windows PKI blog written by Kurt L. Hudson, a senior technical writer for the company.

BACKGROUND: Flame's Windows Update hack required world-class cryptanalysis, researchers say 

MORE: Price tag for Microsoft piece of Flame malware $1M, researcher says

"To prepare for this update, you should determine whether your organization is currently using keys less than 1024 bits," Hudson writes. "If it is, then you should take steps to update your cryptographic settings such that keys under 1024 bits are not in use."

Even with preparation, updated machines may face issues such as error messages when browsing to Web sites with SSL certificates that are below the minimum 1024. They may also face problems enrolling for certificates when certificate requests use a 1024 or less key, the blog says. Installing Active X controls signed with 1024-bit or less signatures will also fail.

The same is true for installing applications signed with less-than 1024-bit signatures. The exception is those applications signed before Jan. 1, 2010, which will be allowed by default, the blog says.

The use of cryptographic keys shorter than 1024 bits makes them too vulnerable to brute-force attacks, Microsoft says, something that is widely recognized and dealt with, but not universally.

The biggest challenge for businesses getting ready for the change will likely be with legacy, in-house applications that interact with Windows platforms, says John Pironti, president of IP Architects and the security track leader for Interop.

Microsoft and many other software vendors can readily update the rules under which they accept certificates, he says. It may not be that easy to alter the rules used by custom applications, and in some cases IT security pros may not recall all the places where smaller key sizes are used. "That box just works and nobody thinks about it," he says. "A lot of cases will be, 'Oh, we forgot,' or 'We don't know how to upgrade that cert."

Dealing with such cases manually will require time and money, he says. In addition to changing settings, some hardware may need to be replaced because larger keys sap more processing power. On maxed-out machines, the added computation could cause unacceptable delay.

Overall, though, the transition should be more of an annoyance than anything else, Pironti says. As certificates issued to businesses expire, they are generally replaced with certs using longer keys, he says, so there might not be so many that remain in use.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News