Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Vote NO to Weak Keys! - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Vote NO to Weak Keys!

OK, so I'm a bit off base with the title - we don't get a vote, but that's a good thing!

As part of the August patch cycle (just 3 weeks away), Microsoft will be pushing out a patch that will block all RSA keys under 1024 bits in length. This will affect the whole fleet - Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.  This is being done in the certificate store, so it'll affect all Microsoft encryption services (the most visible being IE).

Their blog entry on this patch is here:
http://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx

They highlight the more common issues that folks may see:

  • Error messages when browsing to web sites that have SSL certificates with keys that are less than 1024 bits
  • Problems enrolling for certificates when a certificate request attempts to utilize a key that is less than 1024 bits
  • Creating or consuming email (S/MIME) messages that utilize less than 1024 bit keys for signatures or encryption
  • Installing Active X controls that were signed with less than 1024 bit signatures
  • Installing applications that were signed with less than 1024 bit signatures (unless they were signed prior to January 1, 2010, which will not be blocked by default).

Those last two I hadn't thought of until I read this article - I could see lots of organizations being vulnerable on application and ActiveX signing and not realizing it.  (many companies don't realize that they are even using signed applications or controls!)

Not only does the blog describe the patch, and the possible issues, but they go through the steps organizations should make to assess any internal (or external) web applications and services, to ensure that they'll still work post-patch.

The follow-on blog entry covers how to implement work-arounds to permit continued operation.  Their approach uses (of course) certutil.exe, the command line certificate utility that is in all affected versions of windows.  Find this follow-on blog here:
http://blogs.technet.com/b/pki/archive/2012/07/13/blocking-rsa-keys-less-than-1024-bits-part-2.aspx

Hopefully the impact of this change will be minimal.  Remember that the 1024 bit keys in question are in the certificate, so these are the keys used to secure the initial authentication of an SSL conversation.  These keys are not the used in the subsequent cipher that encrypts the actual data.  Most of the public CAs (Certificate Authorities) all moved to longer keys quite some time ago, so support for weak keys within the certificates is likely a legacy issue, one that will mostly be seen on poorly implemented internal CA infrastructures.

===============
Rob VandenBrink
Metafore

Rob VandenBrink

489 Posts
ISC Handler
They haven't gone far enough. 1024-bit keys have a strength approximately equivalent to a 80 bit symmetric cipher.

What they should be doing is rejecting all keys less than 1024 bits, regardless of "signed date"; since the signed date could just be faked.

AND reject all keys less than 2048 bits signed after the date of the patch.

Then release another patch in 1 year, to reject all keys less than 2048 bits.



Anonymous

Sign Up for Free or Log In to start participating in the conversation!