Cryptographic keys are becoming longer, drive by Moore’s law; the observation that over the history of computing hardware, the number of transistors on integrated circuits doubles approximately every two years; a few years ago, most certificates were issued using 512-bit key lengths. With the computers we had then, brute forcing a private key was considered to be unfeasible, because it would take a ridiculously long amount of time. But now, most security experts consider that length to be too short, because of how fast processor power evolved, and with things like GPU arrays being used to crack passwords and so on. As the attack vectors evolve, so must security, and as such any modern certificate is now issued with a minimum of 1024 bits. But many businesses and corporations make their own certificates for a variety of purposes, from signing emails, to encrypting corporate websites, or even for their own internal login systems. Up until now, Microsoft products, such as Windows Server 2003 or 2008, allowed you to create certificates with a short key length, but after this update, this will no longer be possible
As of 2003 RSA Security claims that 1024-bit RSA keys are equivalent in strength to 80-bit symmetric keys, 2048-bit RSA keys to 112-bit symmetric keys and 3072-bit RSA keys to 128-bit symmetric keys. RSA claims that 1024-bit keys are likely to become crackable sometime between 2006 and 2010 and that 2048-bit keys are sufficient until 2030. An RSA key length of 3072 bits should be used if security is required beyond 2030. http://www.rsa.com/rsalabs/node.asp?id=2004
If you’ve been using good security practices and your systems are kept up to date, the odds are this won’t affect you. However many businesses have a number of systems possible dating from several years ago, which may have certificates that do not meet the Microsoft’s requirements. After the update has been applied, you will start seeing errors about the following situations
- Error messages when browsing to web sites that have SSL certificates with keys that are less than 1024 bits
- Problems enrolling for certificates when a certificate request attempts to utilize a key that is less than 1024 bits
- Creating or consuming email (S/MIME) messages that utilize less than 1024 bit keys for signatures or encryption
- Installing Active X controls that were signed with less than 1024 bit signatures
- Installing applications that were signed with less than 1024 bit signatures (unless they were signed prior to January 1, 2010, which will not be blocked by default).
No comments:
Post a Comment