Microsoft Rights Management (RMS) Team Blog

The official team blog of Microsoft's Rights Management product team with news and updates for IT professionals using AD RMS or Azure RMS.

AD RMS and cryptographic support for SHA-2/RSA 2048

AD RMS and cryptographic support for SHA-2/RSA 2048

  • Comments 11
  • Likes

(This blog post was first published on the RMS team blog in March 2012.)

One of the more significant updates to AD RMS that has occurred over the past year is the support for a new advanced mode of operation that supports enhanced cryptography.  This support was added with Service Pack 1 for Windows 2008 R2 and is now being made available in Windows Server "8" Beta as well.

The new cryptographic mode support for AD RMS enables you to increase the cryptographic strength of your AD RMS deployment by running in an advanced mode known as "Cryptographic Mode 2'. What value does this mode 2 offer you? Running AD RMS in this updated mode provides a cryptographic implementation that supports enhanced encryption as well as longer cryptographic keys. For example, in mode 2 operation, RSA encryption is enhanced from 1024 bit encryption to 2048 bit encryption. Also, hashing is enhanced from using SHA-1 (128 bits) to SHA-256 (256 bits).

The value of this enhanced cryptography in AD RMS is that it can be part of enabling your organization to satisfy regulatory compliance with current security standards that are set by the National Institute of Standards and Technology (NIST). Starting January 1, 2011, NIST issued Special Publication 800-57 which recommends the use of 2048-bit RSA keys. United States Federal agencies are required to comply with NIST recommendations and many private enterprises and other countries may choose to implement this recommendation. To learn more, see NIST Special Publications (http://csrc.nist.gov/publications/PubsSPs.html).

To enable the use of this new Cryptographic Mode 2 in your AD RMS deployment, all computers that host either AD RMS server or client software must be patched and updated. To find out more about how to approach updating your deployments to support mode 2 operation, see Active Directory Rights Management Service Cryptographic Modes.(http://go.microsoft.com/fwlink/p/?LinkID=241989).

Note While the AD RMS cryptography update described here offers backwards compatibility for content that was previously protected using 1024-bit length keys, this compatibility is only available for clients mentioned in this article that have currently released updates which provide this support. At present, no client updates for this enhacned cryptography are available for RMS clients running under Windows XP.

Comments
  • With this implemented, are usernames and passwords in the Active Directory 'hashed' using SHA-256 (SHA-2), or are they still only hashed with MD5 (or SHA-1 even)?

  • Hi.

    I'm using Vista x64 SP2 and I have an application using adrms client. My adrms server is configured to use cryptographic mode 2. But I don't know how I can upgrade my client in the Windows Vista client. The hotfixes published for clients by Microsoft (technet.microsoft.com/.../hh867439(v=ws.10).aspx) are for Windows 7 SP1, Windows Server 2008 R2 and fo Office 2010 and 2007. But I'm not using Office as adrms client.

    How could I upgrade the adrms client in windows Vista SP2?

    Thanks

    Best Regards

  • Hello Juancar,

    I will find this out shortly and reply to your question.

    Thanks,

    Gagan Gulati, Lead PM, RMS

  • Hello Juancar,

    I talked to my team. We built Crypto mode 2 support start with Windows 7 only so you will not be able to upgrade your ADRMS client in Windows Vista SP2.

    If you want to keep using Windows Vista SP2, there's a way out. You can move your application to use RMS SDK 2.1 which supports Crypto mode 2. If you need help with this send me a private email at gagang@microsoft.com

    Thanks,

    Gagan Gulati

    Lead PM, RMS

  • Thank you so much Gagan.

    I will try SDK 2.1. If I need help I will let you know.

    Thanks

    Best Regards

  • One more question. As it is said in the prerequisites for AD RMS Cryptographic Mode 2, Windows Vista with SP2 can support this crypto mode. So this prerequisites are going to be modified to take out from the list? Or this prerequitie refers to Windows Vista SP2 running Office 2010 or Office 2007, so you can use the hotfixes to Office 2010 or Office 2007?

    Thanks again

    Best Regards

    Juancar

  • Hi Gagan , I have ADRMS server running on Windows 2012 with Cyptography 2. Office 2013 on windows 8is working fine.
    Problem with office 2010 on Windows7. Earlier Windows 7 machines were not getting option for IRM. after installing the hotfix KB2627273 . office 2010 on win 7 machine got the IRM . but now these machines not getting the templates . kindly help.

  • Hi Dipak,

    You also need to deploy Hotfix for Office (KB 2596501) to enable Office 2010 to utilize IRM. See details here: http://technet.microsoft.com/en-us/library/hh867439(v=ws.10).aspx#BKMK_Enable

    Look for the pre-requisites section

    Thanks,
    Gagan

  • Hi Gagan, Thanks for your reply, which TechNet url you are referring, I have gone through it. hotfix KB2627273 is applied to win 7 64 machines to activate the RSA length . there is no hotfixes for win 7 32 bit client.
    Second if ADRMS running with Cryptography 2. Win 7 32 bit machine will not be activated. win 7 64 bit machine will be activated for IRM but Templates will not be appear after being downloaded to DRM folder because format is different.. office 2010 does not recognize this template format. office 2013 will recognize. running on win 7 .

  • Hi Gagan . Thanks a ton. I reviewed the perquisites for win 7 office 2010 and found one hotfix was missing. I installed it and got it fixed.

    thanks again

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment