Microsoft Announces Deprecation Of 1024 Bit Rsa Keys In Windows
Microsoft has announced that RSA keys shorter than 2048 bits will soon be deprecated in Windows Transport Layer Security (TLS) to provide increased security.
Rivest–Shamir–Adleman (RSA) is an asymmetric cryptography system that uses pairs of public and private keys to encrypt data, with the strength directly related to the length of the key. The longer these keys, the harder they are to crack.
1024-bit RSA keys have approximately 80 bits of strength, while the 2048-bit key has approximately 112 bits, making the latter four billion times longer to factor. Experts in the field consider 2048-bit keys safe until at least 2030.
RSA keys are used in Windows for several purposes, including server authentication, data encryption, and ensuring the integrity of communications.
Microsoft’s decision to move the minimum requirement for RSA keys to 2048 bits or longer for certificates used in TLS server authentication is important to protect organizations from weak encryption.
“Support for certificates using RSA keys with key lengths shorter than 2048 bits will be deprecated,” reads the new entry in Microsoft’s list of deprecations.
“Internet standards and regulatory bodies disallowed the use of 1024-bit keys in 2013, recommending specifically that RSA keys should have a key length of 2048 bits or longer.”
“This deprecation focuses on ensuring that all RSA certificates used for TLS server authentication must have key lengths greater than or equal to 2048 bits to be considered valid by Windows.”
Unfortunately, this move will likely impact organizations using older software and network-attached devices, such as printers, that utilize 1024-bit RSA keys, preventing them from authenticating with Windows servers.
While Microsoft has not specified precisely when the deprecation will begin, it will likely involve a formal announcement followed by a grace period, as we saw with the deprecation of keys under 1024 bits in 2012.
During this grace period, Windows administrators can configure logging to determine what devices are attempting to connect using older keys and will be impacted by this change.
To minimize problems, Microsoft has decided to limit the scope of impact so as not to affect TLS certificates issued by enterprise or test certification authorities.
However, the tech giant strongly recommends that organizations transition RSA keys of 2048 bits or longer as soon as possible as part of following best security practices.