Microsoft Tightening Certificate Security by Clamping Down on RSA Key Length

Among the changes pushed by Microsoft on Oct. 9 as part of its monthly ritual known as Patch Tuesday, the company installed a new minimum standard for the size of encryption keys used to sign digital certificates. From now on, computers accepting updates directly from Microsoft will no longer accept digital certificates signed with RSA keys smaller than 1024 bits.

The move is part of Microsoft’s continuing efforts to tighten up security around its certificate issuing process. That process embarrassed the company last June when it was discovered that a cyber espionage program called Flame contained a feature that compromised Windows updates.

Flame found a way to issue bogus certificates signed by Microsoft. The certificates were used to divert requests to update Windows from healthy machines to infected machines. Those machines then pushed infected Windows updates to the healthy machines, creating more infected machines.

Microsoft quickly addressed the certificates situation, so quickly that some security experts felt that the company may have known about the vulnerability exploited by Flame but was holding off on fixing it until it launched Windows 8. At that time it was predicted that Microsoft would change the length of the keys it uses for its certificates, which it did on Oct. 9.

In a security advisory, Microsoft explained that the private keys used in certificates with RSA keys less than 1024 bits in length are too easy to crack. Once compromised, certificates could be duplicated by an attacker and they could be used in all kinds of mischief, such as spoofing content, performing phishing attacks and launching man-in-the-middle forays.

In public key cryptography, two encryption keys are used. A public key is used to encrypt data. A private key is used to decrypt it. Public keys are widely distributed so anyone can encrypt data and send it to the owner of the public key. That data can only be decrypted, however, with the private key, which the owner is supposed to keep secure.

Digital certificates are used to tell a person who owns a particular public key. The certificate is an electronic credential used to certify the online identities of individuals, organizations and computers. A certificate includes the public key, plus information about it — who owns it, what it can be used for, when it expires and such.

A digital certificate can only be created by the person who has the private key for the certificate. An attacker can try to guess what the key is. That’s usually done by what’s called a “brute force” attack. Such mathematical assaults can take a lot of computing power. However, the shorter a private key is, the easier it is to crack.

“Using modern hardware, keys less than 1024 bits in length can be successfully guessed in a short amount of time,” Microsoft explained.

Since 512-bit RSA keys were introduced in 1999, computing power has increased a tad, making the technology unsafe.

In its advisory, Microsoft explained that the new changes affect only applications and services that use RSA keys for cryptography and call into the CertGetCertificateChain function. Applications and services impacted by the change included encrypted e-mail, SSL/TLS encryption channels, signed applications and private PKI environments.

Certificates that do not use RSA are not affected by the update.

Written by John P Mello Jr

John Mello is a freelance writer who has written about business and technical subjects for more than 25 years. He is frequent contributor to the ECT News Network and his work has appeared in a number of periodicals, including Byte magazine, PC World, Computerworld, CIO magazine and the Boston Globe

1 Comment

  1. Devon Harris · October 21, 2012

    Microsoft is considered the no. 1 spammer in the world, but it’s also the most vulnerable? That’s very interesting. It’s a good thing I didn’t fall for that fake certificates. I know Flame really has caught the ire a lot of users, but I couldn’t blame them. Seriously, you don’t expect that from a company known as Microsoft. I just hope that this new step they’ve taken will officially prevent any type of Flame attack in the future. Otherwise, I bet it’s not only me who’s going to stay away from it forever. Honestly, I’ll campaign against this brand.

Leave A Reply