Windows update spells end for short RSA keys for encryption

Windows update spells end for short RSA keys for encryption

Summary: The Microsoft security update, now pushed out to PCs rather than just available in the Download Center, ensures that web services using RSA keys will no longer trust certificates with keys shorter than 1024 bits. That said, most apps and services should already be on 2048-bit RSA.

SHARE:
0

Microsoft has pushed out an update to Windows users that forces applications and web services using RSA encryption to have keys of at least 1024 bits in length.

The update was previously available through the Download Center but was shifted to Windows Update on Tuesday, as Microsoft had previously warned. It ensures that signed apps and services such as encrypted email, which use RSA keys and call into the CertGetCertificateChain function, will no longer trust certificates with shorter keys.

The reason for extending key length is to reduce the likelihood of the keys being cracked through brute force methods.

"This is the final step in our move to help folks strengthen their certificates by requiring them to have an RSA key length of at least 1024 bits," Dustin Childs of Microsoft's Trustworthy Computing group wrote in a blog post on Tuesday.

Most apps and services should no longer require such prodding. Security experts have for more than five years been calling for businesses to move past 1024-bit encryption, and the US National Institute of Standards and Technology (NIST) recommended widespread adoption (PDF) of 2048-bit encryption back in January 2011.

The key-length change was not the only update pushed out by Microsoft in its Patch Tuesday bulletin. A critical update (MS12-064) tackles a remote code execution flaw in Word, while others resolve issues in Windows, SQL Server, SharePoint, Lync and the nearly-defunct Microsoft Works, which will cease to be supported as of the end of this week.

Topics: Security, Microsoft, Windows

David Meyer

About David Meyer

David Meyer is a freelance technology journalist. He fell into journalism when he realised his musical career wouldn't pay the bills. David's main focus is on communications, as well as internet technologies, regulation and mobile devices.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion