viernes, 17 de agosto de 2012

Microsoft Releases Update That Forces Minimum Certificate Key Length of 1024 Bits

New Software Update to Windows Restricts Use of Certificates with RSA Keys Less Than 1024 bits in Length

On Tuesday, Microsoft announced the availability of an update to Windows that restricts the use of any certificates with RSA keys less than 1024 bits in length.
MicrosoftThe update hasn't received much attention, as it may have been clouded by the focus on a slew of updates as part of the company's Patch Tuesday updates released the same day. Nevertheless, this is an update IT security teams should pay attention to, and consider deploying sooner rather than later.
The reason, Microsoft explains, is that weak certificates with keys less than 1024 bits in length can be derived with few resources in a rather short amount of time and could allow an attacker to duplicate the certificates and use them fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. (For the technically curious, you can read about MD5 collision attacks here and here). 
Replacing Weak CertificatesThe update can be downloaded through the Microsoft Download Center as well as the Microsoft Update Catalog, and is available for all currently supported releases of the Windows operating system.
Additionally, in the advisory, Microsoft said it would release the update through Microsoft Update in October, 2012 “after customers have a chance to assess the impact of this update and take necessary actions to use certificates with RSA keys greater than or equal to 1024 bits in length in their enterprise.”
To that note, Microsoft suggests that customers download the update and assess the impact of blocking certificates with RSA keys less than 1024 bits in length before applying the update across their enterprise. The reason is that there are several known issues associated with the update that could disrupt operations.



No hay comentarios: