Windows update spells end for short RSA keys for encryption

Microsoft has pushed out an update to Windows users that forces applications and web services using RSA encryption to have keys of at least 1024 bits in length.

The update was previously available through the Download Center but was shifted to Windows Update on Tuesday, as Microsoft had previously warned. It ensures that signed apps and services such as encrypted email, which use RSA keys and call into the CertGetCertificateChain function, will no longer trust certificates with shorter keys.

The reason for extending key length is to reduce the likelihood of the keys being cracked through brute force methods.

"This is the final step in our move to help folks strengthen their certificates by requiring them to have an RSA key length of at least 1024 bits," Dustin Childs of Microsoft's Trustworthy Computing group wrote in a blog post on Tuesday.

Most apps and services should no longer require such prodding. Security experts have for more than five years been calling for businesses to move past 1024-bit encryption, and the US National Institute of Standards and Technology (NIST) recommended widespread adoption (PDF) of 2048-bit encryption back in January 2011.

The key-length change was not the only update pushed out by Microsoft in its Patch Tuesday bulletin. A critical update (MS12-064) tackles a remote code execution flaw in Word, while others resolve issues in Windows, SQL Server, SharePoint, Lync and the nearly-defunct Microsoft Works, which will cease to be supported as of the end of this week.