Microsoft encryption key deadline approaching

Any organisations that have not yet replaced outdated security certificates will have to act quickly to meet the Microsoft deadline

Any organisations that have not yet replaced outdated security certificates will have to act quickly to meet the Microsoft deadline.

From 9 October, Microsoft systems will require all public key infrastructure (PKI) digital certificates using RSA key lengths of less than 1,024 bits, to be reissued with at least a 1,024-bit key length.

The move, announced in June, is part of Microsoft’s efforts to help create a safer and more-trusted internet.

Two years ago, Swedish researchers published a paper stating that while 1,024-bit encryption is 1,000 times harder to break than 768-bit codes, within four to five years 1,024-bit encryption would need to be phased out.

Microsoft is addressing its security problem with software updates and has encouraged administrators to accept and deploy them.

The updates, previously available through the Microsoft download centre for manual deployment and testing, will be included in the company’s monthly security update to be issued on 9 October.

The October Patch Tuesday update will also include seven bulletins, one “critical” and six “important” to address 20 vulnerabilities, according to Microsoft’s advance notice.

Failure to replace the weaker digital certificates increases the risk of certificate-based malware attacks and disruptions to business and computing operations reliant on Microsoft systems.

However, Microsoft’s update does not address weak keys and certificates deployed that are outside of the Microsoft Cryptographic Application Programming Interface (CAPI) environment, according to enterprise key and certificate management firm Venafi.

Enterprises that want to address security risks, driven by weak cryptographic keys deployed across their networks will need to use technologies outside of Microsoft updates to identify, revoke and replace these keys and certificates, the company said.

In January 2011, the US National Institute of Standards and Technology (NIST) depreciated keys of 1,024 bits or less, yet according to Venafi, research shows that 56% of organisations do not use recommended key lengths and that 20% are not aware of what encryption keys they have in use.

To help organisations with this problem, Venafi is offering a free risk-assessment capability that automates and simplifies key and certificate discovery.

Read more on Hackers and cybercrime prevention