RSA keys under 1024 bits and you

Recently Microsoft announced that they will push an update in August that will prevent the use of RSA keys with a bit-length less than 1024.

This has been a change that has been coming for some time, for example Microsoft has not allowed CAs with such small keys in their root program for quite a while. They have been proponents of the key length restrictions in the current Baseline Requirements for SSL/TLS certificates in the CA/Browser Forum.

Despite this the SSL Pulse project still shows that within the top 1 million websites there are still web servers using keys less than 1024 bits in size (5 of them). While I do not know who the issuers of these certificates are (they are not GlobalSign), the Microsoft Root Program had prohibited the issuance of smaller than 1024 bit keys and the new Baseline requirements require that all certificates 1024 bits in length expire before December 2013 so if my guess is these would have naturally expired by then.

This patch will cause those certificates to fail to validate once applied.

Microsoft is adverse to “breaking things” they do not control; it’s easy to understand why. With that in mind we can we can assume the decision to release this policy in the form of a patch is clearly based on the recent PKI issues used by Flame which was only possible because of a its use of weak crypto.

But what does this mean for you? Well in the context of getting TLS certificates from a CA who is trusted by Microsoft or Mozilla you shouldn’t be impacted at all since no CA should have been issuing certificates with such small keys.

That said in an enterprise it’s certainly possible such certificates exist and if you have an internal PKI you need to ensure they don’t in yours before this patch gets deployed in August or those systems will stop working.

Microsoft provides some guidance on how to look for these certificates but your likely better off running a tool like Venafi Accessor against your environment to find what keys and certificates you have deployed.

They release their “assessment tool” for free as a means to market to you their certificate management products, the marketing material is alarmist (and in some cases a little misleading) but the assessment tool I good and will be useful to organizations who need to understand the implications to their environment.


Leave a Reply

Your email address will not be published. Required fields are marked *