Blog dedicado al estudio de la Seguridad de la Información - Privacidad - Seguridad Informatica - Auditoria informática.
(Recopilación de principales noticias, eventos, politicas de seguridad, guías de buenas practicas, normas, estándares, herramientas, otros)
viernes, 17 de agosto de 2012
Microsoft Releases Update That Forces Minimum Certificate Key Length of 1024 Bits
New Software Update to Windows Restricts Use of Certificates with RSA Keys Less Than 1024 bits in Length
On Tuesday, Microsoft
announced the availability of an update to Windows that restricts the
use of any certificates with RSA keys less than 1024 bits in length.
update hasn't received much attention, as it may have been clouded by
the focus on a slew of updates as part of the company's Patch Tuesday
updates released the same day. Nevertheless, this is an update IT
security teams should pay attention to, and consider deploying sooner
rather than later.
reason, Microsoft explains, is that weak certificates with keys less
than 1024 bits in length can be derived with few resources in a rather
short amount of time and could allow an attacker to duplicate the
certificates and use them fraudulently to spoof content, perform
phishing attacks, or perform man-in-the-middle attacks. (For the
technically curious, you can read about MD5 collision attacks here and here).
The update can be downloaded through the Microsoft Download Center as well as the Microsoft Update Catalog, and is available for all currently supported releases of the Windows operating system.
Additionally, in the advisory,
Microsoft said it would release the update through Microsoft Update in
October, 2012 “after customers have a chance to assess the impact of
this update and take necessary actions to use certificates with RSA keys
greater than or equal to 1024 bits in length in their enterprise.”
that note, Microsoft suggests that customers download the update and
assess the impact of blocking certificates with RSA keys less than 1024
bits in length before applying the update across their
enterprise. The reason is that there are several known issues associated
with the update that could disrupt operations.