Microsoft has announced that it will end support for Windows RSA keys with lengths shorter than 2048, prompting calls from experts for organizations to get their machine identity management in order.
The move will see RSA keys deprecated in Windows Transport Layer Security (TLS) in a bid to force organizations to stop using weaker encryption methods for server authentication.
Rivest-Shamir-Adleman (RSA) is an asymmetric encryption algorithm that uses a key pair, a public and private key, to encrypt data for secure communications over an enterprise network.
Once a fundamental part of cyber security, RSA encryption keys have become vulnerable to advanced cryptographic techniques driven by recent advancements in compute power.
Microsoft said the decision will bring the industry in line with recommendations from internet standards and regulatory bodies, who banned the use of 1024-bit keys in 2013.
“Internet standards and regulatory bodies disallowed the use of 1024-bit keys in 2013, recommending specifically that RSA keys should have a key length of 2048 bits or longer,” the company said.
Microsoft added that TLS certificates issued by enterprise or test certification authorities (CA) will not be impacted by the move, but recommended they be updated to RSA keys longer or equal to 2048 bits nonetheless.
As of the time of writing, Microsoft has not stated when exactly the deprecation process will begin, but it is expected this announcement will be followed by a grace period, like it did with previous key length deprecations.
Changes to Windows RSA keys “could create headaches” for unprepared enterprises
Kevin Bocek, chief innovation officer at security company Venafi, said the announcement is a positive development from a security standpoint, and complements Google’s decision to shorten the validity period of TLS certificates.
He noted how this move will improve security of certificate authentication, but could create some issues for businesses that do not have a mature approach to machine identity management.
“These certificates verify and authenticate that a connection can be trusted, by providing a machine identity. Longer key lengths are harder to crack, which reduces the risk of brute force attacks – just as having shorter identity lifespans reduces the risk of identities being misused and stolen”, Bocek said.
“Yet while longer key lengths and shorter validity periods are good news for security, they could create headaches for businesses who do not have a grip on their machine identity management.”
Bocek noted the volume of machine identities present on most corporate networks and pinpointing the identities that will be affected by the deprecation could prove to be a difficult task.
“On average, enterprises have close to half a million machine identities across their networks; identifying which identities will be impacted by this change and enforcing policies around key length could feel like finding a needle in a haystack”, he explained.
“Yet if the depreciated identities are not replaced, it could cause an unplanned outage – severely disrupting business operations, negatively impacting customers, damaging brand reputation, even putting them on the wrong side of regulators.”
