This week, Microsoft announced that certificates with RSA keys shorter than 2048 will soon no longer be supported by Windows. This is just the latest move in the company’s larger effort to shore up TLS security, including the deprecation of TLS 1.0 and 1.1 on upcoming Windows and the end of TLS 1.0, and 1.1 support for Azure Storage Accounts. This series of TLS security updates shows Microsoft taking decisive steps to make server authentication, communications integrity, and data encryption more secure.
According to Venafi Chief Innovation Officer, Kevin Bocek, “The news from Microsoft that support for certificates using RSA keys with key lengths shorter than 2048 bits will be deprecated is very welcome. It forms part of a wider trend amongst the big tech companies to improve digital security—with Google announcing last year that it intends to shorten the validity period of TLS certificates from 398 days to just 90 days.”
CIO Study: Automation Vital to Address Shorter Lifespans and Massive Growth of TLS/SSL Certificates
Better encryption is better for all
But this move may seem slightly overdue. Global regulatory bodies have been disallowing the use of 1024-bit keys since 2013. But in the end, the effort to protect organizations from weak encryption wins out. And Microsoft's decision to move the minimum requirement for RSA keys to 2048 bits or longer for certificates used in TLS server authentication is critical to that effort.
“This is important because TLS certificates verify and authenticate that a connection can be trusted, by providing a machine identity,” notes Bocek. “Longer key lengths are harder to crack, which reduces the risk of brute force attacks—just as having shorter identity lifespans reduces the risk of identities being misused and stolen. Yet while longer key lengths and shorter validity periods are good news for security, they could create headaches for businesses who do not have a grip on their machine identity management.”
RSA encryption keys have become very common in digital security to maintain data integrity and secure communications primarily. However, advances in recent years, particularly in cryptography research and computing capabilities, have made 1024-bit encryption keys vulnerable to cyberattacks.
According to Bleeping Computer, 1024-bit RSA keys have approximately 80 bits of strength, while the 2048-bit key has approximately 112 bits, making the latter four billion times longer to factor. Experts in the field consider 2048-bit keys safe until at least 2030. Following the update, future Windows updates should be able to block malicious and outdated web-based apps and websites.
How much do you know about your TLS certificate attributes?
But, just as with the deprecation of SHA-1 hashing algorithms, updating internal systems proves much more time consuming that public facing systems, which have likely evolved over time to support industry standards for encryption. This is largely due to legacy systems that don’t support higher key lengths and the tendency to use long-lived internal certificates, which often get lost in the shuffle. To that point, some organizations will be challenged to update older software and network-attached devices, such as printers, that use 1024-bit RSA keys, preventing them from authenticating with Windows servers.
But effectively addressing the deprecation could prove to be an even greater project than some might think. Organizations may be challenged to identify which systems are still using 1024-bit encryption certificates. “On average, enterprises have close to half a million machine identities across their networks; identifying which identities will be impacted by this change and enforcing policies around key length could feel like finding a needle in a haystack,” warns Bocek. “Yet if the depreciated identities are not replaced, it could cause an unplanned outage—severely disrupting business operations, negatively impacting customers, damaging brand reputation, even putting them on the wrong side of regulators.”
Here's how you can be sure you're compliant
How can organizations be sure that they no longer rely on RSA 1024-bit keys anywhere in their network? The first step is creating an all-inclusive inventory of the machine identities that they are using, complete with attributes such as key length. But an effort of this magnitude is not one that can be completed manually. Given the scope and scale of machine identities being used by large organizations, automation is really the only effective approach.
Bocek sums up, “Against this backdrop, automation is essential. Manually managing certificate lifecycles is slow, resource intensive, highly inefficient, error-prone, and risky—it’s a total nightmare. Instead, businesses need to ensure all machine identities are managed centrally through a control plane. By implementing a control plane to automate the management of machine identities, organizations can eliminate the risk of certificate-related outages.”
Venafi can help you keep all machine identities up to date
Venafi offers a Control Plane for Machine Identities that provides enterprise wide observability of all TLS certificates in use. The control plane also equips your enterprise with the consistency, reliability and flexibility you need to manage all types of machine identities, no matter where they are used or located. But even better, it helps you ensure that no machine identities fall through the cracks to negatively impact your business.