Microsoft has announced that it will stop supporting Windows RSA keys with lengths less than 2048, prompting calls from experts for organizations to get their machine identity management in order.
The move will deprecate RSA keys in Windows Transport Layer Security (TLS) in an attempt to force organizations to stop using weaker encryption methods for server authentication.
Rivest-Shamir-Adleman (RSA) is an asymmetric encryption algorithm that uses a pair of keys, a public key and a private key, to encrypt data for secure communications over an enterprise network.
RSA encryption keys, once a critical part of cybersecurity, have become vulnerable to advanced cryptographic techniques driven by recent advances in computing power.
Microsoft said the decision will align the industry with recommendations from Internet standards and regulatory bodies, which banned the use of 1024-bit keys in 2013.
“Internet standards and regulatory bodies banned the use of 1024-bit keys in 2013, specifically recommending that RSA keys have a key length of 2048 bits or longer,” the company said.
Microsoft added that TLS certificates issued by testing companies or certification authorities (CAs) will not be affected by the move, but still recommended that they be upgraded to roughly 2048-bit RSA keys.
As of this writing, Microsoft has not indicated when exactly the deprecation process will begin, but it is expected that this announcement will be followed by a grace period, as it did with previous key length deprecations.
Changes to Windows RSA keys 'could create headaches' for unprepared businesses
Kevin Bocek, chief innovation officer at security company Venafi, said the announcement is a positive development from a security perspective and complements Google's decision to shorten the validity period of TLS certificates.
He noted how this measure will improve the security of certificate authentication, but could create some problems for companies that do not have a mature approach to machine identity management.
“These certificates verify and authenticate that a connection can be trusted by providing a machine identity. “Longer key lengths are harder to crack, which reduces the risk of brute force attacks, just as having a shorter identity lifetime reduces the risk of identities being misused and stolen,” Bocek said. .
“However, while longer key lengths and shorter validity periods are good news for security, they could create headaches for companies that don't control the identity management of their machines.”
Bocek noted the volume of machine identities present on most corporate networks and pinpointing the identities that will be affected by the deprecation could prove to be a difficult task.
“On average, enterprises have about half a million machine identities on their networks; Identifying which identities will be affected by this change and enforcing policies around key lengths might seem like finding a needle in a haystack,” he explained.
“However, if depreciated identities are not replaced, it could cause unplanned disruption, severely disrupting business operations, negatively impacting customers, damaging brand reputation, and even putting them on the wrong side of regulators. “.