Wednesday, 25 July 2012

RSA keys under 1024 bits are blocked

Microsoft announced in June that in Aug it would “To further reduce the risk of unauthorized exposure of sensitive information, IT has created a software update that will be released in August 2012 for the following operating systems: Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. This update will block the use of cryptographic keys that are less than 1024 bits.”

Cryptographic keys are becoming longer, drive by Moore’s law; the observation that over the history of computing hardware, the number of transistors on integrated circuits doubles approximately every two years; a few years ago, most certificates were issued using 512-bit key lengths. With the computers we had then, brute forcing a private key was considered to be unfeasible, because it would take a ridiculously long amount of time. But now, most security experts consider that length to be too short, because of how fast processor power evolved, and with things like GPU arrays being used to crack passwords and so on. As the attack vectors evolve, so must security, and as such any modern certificate is now issued with a minimum of 1024 bits. But many businesses and corporations make their own certificates for a variety of purposes, from signing emails, to encrypting corporate websites, or even for their own internal login systems. Up until now, Microsoft products, such as Windows Server 2003 or 2008, allowed you to create certificates with a short key length, but after this update, this will no longer be possible

As of 2003 RSA Security claims that 1024-bit RSA keys are equivalent in strength to 80-bit symmetric keys, 2048-bit RSA keys to 112-bit symmetric keys and 3072-bit RSA keys to 128-bit symmetric keys. RSA claims that 1024-bit keys are likely to become crackable sometime between 2006 and 2010 and that 2048-bit keys are sufficient until 2030. An RSA key length of 3072 bits should be used if security is required beyond 2030.

If you’ve been using good security practices and your systems are kept up to date, the odds are this won’t affect you. However many businesses have a number of systems possible dating from several years ago, which may have certificates that do not meet the Microsoft’s requirements. After the update has been applied, you will start seeing errors about the following situations
  • Error messages when browsing to web sites that have SSL certificates with keys that are less than 1024 bits
  • Problems enrolling for certificates when a certificate request attempts to utilize a key that is less than 1024 bits
  • Creating or consuming email (S/MIME) messages that utilize less than 1024 bit keys for signatures or encryption
  • Installing Active X controls that were signed with less than 1024 bit signatures
  • Installing applications that were signed with less than 1024 bit signatures (unless they were signed prior to January 1, 2010, which will not be blocked by default).

Sunday, 15 July 2012

Bedford College talk 28th June

Some pictures of my talk at Bedford College, 28th June

Joint Bedford College-British Computer Society Event - Thursday 28 June 2012 - "Hollywood Effect on Digital Forensics"

June ADSL Log Analysis

Analysis of the logs files from my ADSL router for June, there was a large number of UDP scans which emanated from China.

The detected events broke down country wise as follows

Country Number of events Number of unique IP
China 317 22
Turkey 72 72
Azerbaijan 2 2
South Africa 1 1
Cyprus 1 1

The top three IP addresses for the origination of the probes where

48  events - 220.243.27.nnn (eTrunk Network Telecomunication Ltd., Guangzhou, China)
43  events - 222.125.37.nnn (ShenZhen Topway Video Communication Co. Ltd. GuangDong, China)
36  events - 211.141.176.nnn (China Mobile Communications Corporation, Anhui, China)