With the scope of digital exploitation increasing, Microsoft came out with an advisory that it will no longer entertain digital certificates of less than 1024 bits strength. In August 2012, Microsoft issued a security advisory that it will not support RSA digital certificates from Oct 9 2012. You need to upgrade your RSA digital certificates before that date, the cut-off date to block weak certificates (less than 1024 bits).
Most digital certificates employ RSA algorithm for certificates used with websites, to digitally sign and encrypt files. The strength of RSA algorithm is based on the number of bits used. RSA certificates identify an individual, organization and files as being authentic and original. When used with emails and other type of data files, RSA digital certificates allow for prevention of tampering of the file contents in a sense that they will alert users in case of manipulation of original files. Until now, most certification authorities (CA) provided digital certificates with less than 1024 bits. Given the base of exploitation of online assets being manipulated and exploited, the software company says it is high time IT admins update their RSA digital certificates to protect users from any kind of vulnerability.
Microsoft said it will provide an automatic update on Oct 9, 2012 that will update operating systems and other products to unrecognize websites and items using RSA digital certificates having less than 1024 bit strength. Some experts say this decision has come in wake of exploitation of the Windows range of operating system by malware of likes Flame etc. Others say that Microsoft was working on this since long. Whatever be the reason, it is time to dust off your digital certificates and upgrade them to strength of at least 1024 bits. The strength of a RSA digital certificate is measured by time taken to decode the private key of the certificate. To enforce better protection, people need to add more strength to the certificates.
Be aware that the company states 1024 bits as minimum. For better protection and to avoid any similar updates in near future, it recommends that you go for strengths above 2048 bits.
What Happens If You Don’t Update RSA Digital Certificates?
You will get error messages of the type shown below and worse, your applications may not work properly.
There is a problem with this website’s security certificate
According to the Microsoft Security Advisory, the update will not affect Windows 8 and Windows 2012 Server as they already have the built in feature to block weak RSA certificates that are less than 1024 bits long. Other operating systems and software will be updated on Oct 9 2012 to act accordingly – to block weak RSA certificates. Following are some of the issues people can face if the RSA digital certificates are not updated (As mentioned in Microsoft KB article 2661254):
- Certification authorities cannot issue RSA certificates having less than 1024 bits;
- Certification Authorization process (certsvc) will not start if the RSA digital certificate is weak;
- Internet Explorer will block access to websites with weak RSA digital certificates;
- Outlook 2010 will not be able to digitally sign emails and users won’t be able to encrypt emails. If the email was already encrypted using a weaker RSA certificate, it can still be decrypted after the update;
- If users receive an email signed by RSA digital certificate less than 1024 bits, they will receive an alert saying the certificate cannot be trusted – sending out signals about the originality and authenticity of the email;
- Outlook will not connect to Exchange Server with RSA certificates less than 1024 bits. Users will see an alert saying the certificate cannot be trusted and hence, has been blocked;
- While installing products carrying weak RSA certificates, users will receive warning about the certificate that will discourage users to install the “untrusted” product;
- According to the Advisory, “System Center HP-UX PA-RISC computers that use an RSA certificate with a 512 bit key length will generate heartbeat alerts and all Operations Manager monitoring of the computers will fail. An “SSL Certificate Error” will also be generated with the description “signed certificate verification.” Click here for more information about HP UX PA RISC computers with 512 bit key length.
Microsoft TechNet team has a discussion on detailed FAQ and suggested actions on its blog.
How To Detect If RSA Certificate Is Weak
The KB article 2661254 has suggested the following method to check if you hold any weak RSA digital certificates.
All RSA digital certificates can be opened by double clicking on its icon. Details about certification can be viewed on the Details tab once you open the digital certificate. There should be a field labeled “Public Key” that shows the number of bits being used by the certificate.
There are some other methods listed in the Advisory KB article 2661254. I recommend you check out the CAPI2 method as well. It will help you identify all the certificates having weak cipher strength. The method is described in the above linked KB article 2661254.
Workaround To Access Websites And Programs With Weak RSA Digital Certificates
Though it has strongly advised IT admins to upgrade their RSA digital certificates with a minimum of 1024 bits, Microsoft is providing a workaround to access websites and programs having weak digital certificates. It says it may take some time before all admins can update their certificates and hence users can use the prescribed workaround to access weak RSA digital certificates even as websites and programs are renewing and upgrading their certificates. The workaround involves editing the Windows Registry. Check out the section Allow Key Lengths Of Less Than 1024 Bits Using Registry Settings under RESOLUTIONS in the linked KB article to tweak Windows registry using the certutil command.
Note that there are two sections: one says RESOLUTIONS (plural) and the other says RESOLUTION (singular). You need to check out the RESOLUTIONS (plural) section for the workaround to allow weak RSA digital certificates temporariliy.
Microsoft is providing updates under the section RESOLUTION of KB article 2661254. These patches update your system to increase minimum encryption levels in Windows range of operating systems so that you don’t face problems accessing strong RSA digital certificates. Check the operating system mentioned against the patches (including 32 or 64 bit) before downloading them to make sure you are downloading the correct update.
To sum up, the age of 512 bit RSA digital certificates is over. You need to move to stronger key strengths for better protection against exploitation of your data.