“Microsoft has set October 9 as the deadline for replacing all certificates signed with RSA keys less than 1024 bits in length”
London: Venafi, the inventor of Enterprise Key and Certificate Management (EKCM) solutions, is advising all organizations reliant on Microsoft Windows operating systems to take immediate action to find and replace all digital certificates signed with RSA encryption keys that are less than 1024 bits in length. In the wake of the Flame malware attacks, Microsoft has advised its customers to take this step to harden security against known vulnerabilities and attack vectors in order to prevent business and operational disruptions.
According to Microsoft security advisories and its Security Response Center Blog ( http://blogs.technet.com/b/msrc/archive/2012/09/06/september-ans-and-an-important-heads-up-concerning-certificates.aspx ), Microsoft has set October 9 as the deadline for replacing all certificates signed with RSA keys less than 1024 bits in length. According to many reports, if not replaced by this deadline, the risk of certificate-based malware attacks will remain high and disruptions to business and computing operations could include everything from Internet Explorer failures to inability to encrypt or digitally sign emails on Outlook 2010 and other legacy systems that rely on the older, weaker encryption keys.
Microsoft is addressing its security problem with software updates and has encouraged administrators to accept and deploy them. However, the company's update does not address weak keys and certificates deployed that are outside of the Microsoft CAPI environment. Enterprises that want to address security risks driven by weak cryptographic keys deployed across their networks will need to utilize technologies outside of Microsoft updates to identify, revoke and replace these keys and certificates. Microsoft's efforts will not simply affect the certificate stores but any application that uses CAPI certificate processing -- no matter where the certificate is.
-- Who: Microsoft is advising all customers to harden defenses against weak encryption attacks
-- What: The company advises all customers to revoke and replace all RSA keys less than 1024 bits with keys with stronger bit lengths
-- Why: Weak keys are hackable and increase risk of compromise and data breach
-- When: Oct, 9, 2012
-- Next Steps: Enterprises should act immediately to find and replace all weak encryption keys
-- How: Venafi provides a free risk assessment capability that automates
and simplifies key and certificate discovery, including the number of keys and certificates deployed, key lengths, certificate expiration
dates, CA issuers and more at:
http://www.venafi.com/products/md5-certificate-assessor/
In January 2011, NIST depreciated keys of 1024 bits or less. Despite this guidance research demonstrates that 56 percent of organizations do not use recommended key lengths as part of their defenses and that 20 percent are not aware of what encryption keys they have in use. To learn more about security risks associated with weak key lengths and how to decrease risk through best practices, download the Venafi 2011 Security Best Practices Assessment: http://www.venafi.com/wp-content/uploads/2011/09/2011_IT_Security_Best_Practices_Assessment_Executive_Overview.pd