Windows PKI blog

News and information for public key infrastructure (PKI) and Active Directory Certificate Services (AD CS) professionals

RSA keys under 1024 bits are blocked

RSA keys under 1024 bits are blocked

  • Comments 60
  • Likes

Public key based cryptographic algorithms strength is determined based on the time taken to derive the private key using brute force methods. The algorithm is deemed to be strong enough when the time required to derive private key is prohibitive enough using the computing power at disposal. The threat landscape continues to evolve.  As such, we are further hardening our criteria for the RSA algorithm with key length less than 1024 bits.
To further reduce the risk of unauthorized exposure of sensitive information, Microsoft has created a software update that will be released in August 2012 for the following operating systems: Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. This update will block the use of cryptographic keys that are less than 1024 bits.
Some issues that you may encounter after applying this update may include:

  • Error messages when browsing to web sites that have SSL certificates with keys that are less than 1024 bits
  • Problems enrolling for certificates when a certificate request attempts to utilize a key that is less than 1024 bits
  • Creating or consuming email (S/MIME) messages that utilize less than 1024 bit keys for signatures or encryption
  • Installing Active X controls that were signed with less than 1024 bit signatures
  • Installing applications that were signed with less than 1024 bit signatures (unless they were signed prior to January 1, 2010, which will not be blocked by default).

To prepare for this update, you should determine whether your organization is currently using keys less than 1024 bits. If it is, then you should take steps to update your cryptographic settings such that keys under 1024 bits are not in use. 

Certificate Chain Build Block of Keys under 1024 Bits

The Crypto API builds a certificate trust chain and validates that chain using time validity, certificate revocation, and certificate policies (such as intended purposes). Once the update is applied, during chain building there is an additional check to ensure that no certificate in the chain has key length less than 1024 bits). Chain building is done using the CertGetCertificateChain function. If a key chain building issue is encountered with such a certificate, then the errors produced are as follows:
Event 11, CAPI2

• CERT_TRUST_IS_NOT_SIGNATURE_VALID
• CERT_TRUST_HAS_WEAK_SIGNATURE

Working CSPs that Default to Allow Minimum 512 Bit Keys

There are three cryptographic service providers (CSPs) that default
to allow minimum 512 bit keys in Windows Server 2008 R2:

  1. Microsoft Base Cryptographic Provider v1.0 (RSA)
  2. Microsoft Base DSS and Diffie-Hellman
    Cryptographic Provider (DH)
  3. Microsoft DH SChannel Cryptographic Provider
    (DH)

When working with V2 certificate templates, if you do not specify the key size, then the default CSP with default key size will be used to generate the key. If the default CSP is one of the above 3 CSPs on the client box, then the generated key will be under 1024 bits. The CA which has been updated with weak key protection will reject such request. As a result, we recommended that you do the following:

  1. Configure the template to specify the cryptographic providers that you want to be utilized by selecting Requests must use on of the following
    providers
    .
  2. Configure the Minimum key size to 1024 bit or larger.

When using certreq, ensure that you specify a 1024 bit or larger key in the INF file. For additional information, see Best Practice for Configuring Certificate Template Cryptography.

Discovering Usage of Keys under 1024 Bits in Certificate Templates

You can run the following query on your Certification Authorities (CAs) in order to discover certificate templates that are utilizing
keys under 1024 bits:

Certutil -dstemplate | findstr "[ msPKI-Minimal-Key-Size"| findstr /v "1024 2048 4096"

Note: The command should be run in each forest in your organization.

If you run this query, templates that utilize keys that are smaller than 1024 bits will be shown with their key size. The following figure illustrates that two of the built-in templates SmartcardLogon and SmartcardUser templates have default key lengths that have minimum key sizes of 512 bits. You may also discover other templates that were duplicated with minimum key sizes of less than 1024 bits.

For each template you discover that allow less than 1024 bit keys, you should determine whether it is available to issue certificates as shown in the Certificate Templates section of the Certification Authority console.

For these templates, you should consider increasing the Minimum key size to a setting of at least 1024 (assuming the devices to which these certificates are to be issued support a larger key size).

You should use Reenroll All Certificate Holders to cause the client computers to reenroll and request a larger key size (assuming certificate autoenrollment is enabled).

If you have issued certificates using the built-in Smartcard Logon or Smartcard User templates, you will not be able to adjust the minimum key size of the template directly. Instead, you will have to duplicate the template, increase the key size on the duplicated template, and then supersede the original template with the duplicated template.

After you have superseded the template, you should use Reenroll All Certificate Holders to cause the client computers to reenroll and request a larger key size.

Discovering usage of RSA keys under 1024 Bits in Cryptographic Operations

You can utilize CAPI2 logging starting with Windows Vista or Windows Server 2008 computers to help identify keys under 1024 bits. You can then allow the computers to perform their normal operations and check the log after a period of time to help identify such keys. You can then use that information to track down the sources of the certificates and make the necessary updates.

To accomplish this, you must first enable verbose diagnostic logging. To enable verbose mode logging:

  1. Open the Registry Editor (regedit.exe).
  2. Navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
  3. Add a DWORD (32-bit) value DiagLevel with value of 0x00000005
  4. Add a QWORD (64-bit) value DiagMatchAnyMask with value of 0x00ffffff

Once you do this, you can then enable CAPI2 operational logging in the Event Viewer. The CAPI2 Operational log is located under Applications and Service Logs, Microsoft, Windows, and CAPI2 in the Event Viewer. To enable logging, right-click the Operational log and select Enable Log.

Once you've collected the log, you can use the following filter to reduce the number of entries that you have to search through in order to find certificate operations with keys under 1024 bits. The following filter looks for keys of 512 bits.

<QueryList>

 
<Query Id="0"
Path="Microsoft-Windows-CAPI2/Operational">

   
<Select Path="Microsoft-Windows-CAPI2/Operational">Event[UserData[CertGetCertificateChain[CertificateChain[ChainElement[PublicKeyAlgorithm[@publicKeyLength='512']]]]] and
UserData[CertGetCertificateChain[CertificateChain[ChainElement[PublicKeyAlgorithm[@publicKeyName='RSA']]]]]]</Select>

 
</Query>

</QueryList>

You can also query multiple key lengths with a single query. For example, the following filter queries for both 384 bit and 512 bit keys.

<QueryList>

 
<Query Id="0"
Path="Microsoft-Windows-CAPI2/Operational">

   
<Select Path="Microsoft-Windows-CAPI2/Operational">Event[UserData[CertGetCertificateChain[CertificateChain[ChainElement[PublicKeyAlgorithm[@publicKeyLength='384']]]]] and
UserData[CertGetCertificateChain[CertificateChain[ChainElement[PublicKeyAlgorithm[@publicKeyName='RSA']]]]]]
or
Event[UserData[CertGetCertificateChain[CertificateChain[ChainElement[PublicKeyAlgorithm[@publicKeyLength='512']]]]] and
UserData[CertGetCertificateChain[CertificateChain[ChainElement[PublicKeyAlgorithm[@publicKeyName='RSA']]]]]]</Select>

 
</Query>

</QueryList>

Discovering issued RSA certificates with keys less than 1024 bits

Ingolfur Arnar Stangeland came up with a certutil command to show whether a CA has issued RSA certificates with keys less than 1024 bits. He published the instructions in his blog post "How to identify if your ADCS has issued any certificates with public keys <1024 bits (in preparation for KB2661254)" http://blogs.technet.com/b/instan/archive/2012/08/03/how-to-identify-if-your-adcs-has-issued-any-certificates-with-public-keys-lt-1024-bits-in-preparation-for-kb2661254.aspx

Additional resources

Security advisory http://technet.microsoft.com/security/advisory/2661254.

KB 2661254: http://support.microsoft.com/kb/2661254

Additional blog posts:

http://blogs.technet.com/b/pki/archive/2012/07/13/blocking-rsa-keys-less-than-1024-bits-part-2.aspx

http://blogs.technet.com/b/pki/archive/2012/08/14/blocking-rsa-keys-less-than-1024-bits-part-3.aspx

Comments
  • Umm... while you're at it, do yourself a favor and go up to at least 2048 bit RSA. 1024 bit RSA is pretty much deprecated and should not be rolled out as of Jan 1 2011.

    See http://www.keylength.com/ or NIST recommendations for key length

  • Tony Larson: More information should be published today. I am preparing a second blog post.

    ppivanov: I don't follow your scenario. I would think that your browsers would build just fine with a 1024 bit cert on the SSL site. You will be able to override the setting using regedit, if it turns out that it does not work. I will be posting more about this in a second blog post - probably today.

    Muis: No. You need not worry about that because it is only affecting chain building.

    Frank Lesniak: Thanks. One step at a time. :-)

  • Does it still allow my software to store and retrieve smaller keysizes from the Machine Key Store?

  • Poes: Yes, you can still retrieve smaller key sizes. As I mentioned in several other comments and in the article itself, this update is only targeted to affect chain building.

  • The Part 2 of this blog post is now ready at:

    blogs.technet.com/.../blocking-rsa-keys-less-than-1024-bits-part-2.aspx

  • ppivanov: The cost to break a 512 bit key in a week is less than $150 on EC2, I hope you're not protecting anything worth more than that.

  • What about certificares 1024 but MD5 ?  They will be affected?  Can we still using its?

  • Hello, I have an application that has been signed with a root authority of 512 bits after the 1st Jan. 2010. This application is working fine today. I understand I won't be able to install it anymore once the patch has been installed on a workstation. Anyhow will the currently installed version continue to work? Tyhanks for your help!

  • Jose Gonzalez: Yes, MD5 will continue to work.

    Isabelle Sanier: Yes, the application will continue to work once installed. See also blog post 2 blogs.technet.com/.../blocking-rsa-keys-less-than-1024-bits-part-2.aspx

  • Thank you for taking time to answer. Just a quick clarification: will it work without the CertUtil application or am I forced to patch someone my workstation with CertUtil to have it running? Thanks again!

  • How will it affect internet access if installed on MS TMG server?

  • How will this effect mail server using SSL Cert

  • Will this effect dlls in the GAC with less than 1024?

  • Will this patch BLOCK the access to sites using less than 1024 bit key or display the error message only?

  • In one of the response you stated -- 4. Will the 1023 bit keys that are issued by IBM’s WebSphere be affected by the update? No, those keys will not be blocked by the update.

    The 1023 key cert on UNIX system will not be blocked, but for the Windows platform (with Aug 14 patch deployed) to access the site using this cert should also be affected, correct?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment