Print 10 comment(s) - last by Nosebleeder.. on Jul 14 at 11:39 PM

Microsoft roots out obsolete MD5 certificates, disallows RSA keys shorter than 1024 bits

In August, Windows computers will receive a critical update via Windows Update.  The patch is designed to close a security loophole in Windows' encryption that is being actively exploited by malware authored by the U.S. government and Israel.

I. Exploiting Trust in Microsoft

Currently, Windows allows 256-, 384-, and 512-bit keys.  Some Microsoft Corp. (MSFT) Terminal Server Licensing (MSTL) certificates until recently also used the weak MD5 hashing algorithm, despite the algorithm being officially discontinued in 2009.

The weaknesses, both on the hashing and the key-length front, allowed "world-class" malware authors -- believed to be in the employ of the U.S. government and Israel -- to write a piece of malware called Flame, which uses a MTSL certificate cracked by a hitherto unknown attack called MD5 chosen prefix collision.

Certificate in hand, Flame was able to masquerade as a Windows Update from the ultimate trusted source in the Windows world -- Microsoft.  Thus the malware quickly proliferated in its intended target location -- Iran and the Middle East.

Flame infographic
Flame has narrowly targeted the Middle East, particularly Iran. [Image Source: Kapersky Labs]

II. Microsoft Fights Back With Patch

Kurt L. Hudson, a senior technical writer at Microsoft, has posted a Windows PKI blog regarding next month's Windows Update, which is expected to tighten key restrictions to prevent further abuse.

He writes:

To further reduce the risk of unauthorized exposure of sensitive information, Microsoft has created a software update that will be released in August 2012 for the following operating systems: Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. This update will block the use of cryptographic keys that are less than 1024 bits.
To prepare for this update, you should determine whether your organization is currently using keys less than 1024 bits. If it is, then you should take steps to update your cryptographic settings such that keys under 1024 bits are not in use.

The update could render applications with signatures shorter than 1024-bits unable to install.  It may also create difficulties with certain websites, SSL certificates, and Active X controls.  

Windows key chain error
Shorter keys will no longer be considered valid in Windows. [Image Source: Microsoft]

Corporate users are given a series of suggestions to prepare the signature length bump.  It remains to be seen exactly how difficult the transition will be for everyday consumers.

1024-bit signatures will be short-lived, as well.  The National Institute of Science and Technology in 2011 designated [PDF] Dec. 31, 2013 as the official target date to black out 1024-bit key encryption using the RSA and DSA algorithms.

key in door
Key-based encryption algorithms are only as secure as the enemy is weak hardware- and algorithm-wise. [Image Source: Margie Stibora]

The security community must constantly bump encryption algorithm strength and length in the face of ever increasing computing power and clever new attacks.  No encryption standard is safe from individuals with sufficient computing power and savvy in the long run -- even quantum encryption has proved susceptible to attacks on the hardware used to encrypt the quantum bits (qBits).  Thus security is measured in fleeting moments of safety, using technology that in years will be rendered useless.

III. Did the U.S. go to War With Iran?

Since Flame was discovered, Microsoft has also conducted a vigorous screen of its licensing certificates and discovered 28 other certificates that did not live up to its current standards, but had escaped correction in past cleanups.

Flame remains a hot topic, as both it and Stuxnet are the subject of lively debate over whether the U.S. "declared war" on Iran by unleashing the malware on it.   

Flame worm
Rooting out the Flame worm is a top priority for Microsoft. [Image Source: Krishnan Vasuvedan]

Presidents George W. Bush Jr. and Barack H. Obama both allegedly authorized the use of the malware against the Asian nation.  Stuxnet primarily targeted Iran's nuclear weapons refining facilities, while Flame offered a general attack on Iran's oil industry -- one of the key sources of GDP for the nation.

Source: Microsoft

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Did the US go to war with Iran...
By MechanicalTechie on 7/12/12, Rating: 0
RE: Did the US go to war with Iran...
By Samus on 7/12/2012 11:38:01 PM , Rating: 2
Conspiracies aside, American tourists and journalists are among the most kidnapped/murdered of any other nation BY other nations. So our government, to some extent, has a reason to be assertive and paranoid. However, smokescreens like the TSA and oxymorons like the CIA are not winning any favors from me...but I know where they are coming from because I know how broken our political system is.

By MechanicalTechie on 7/12/2012 11:50:43 PM , Rating: 3
It is true that Americans are being targeted when in foreign countries and this is unfortunate... but you have to ask yourself the question... why?

It’s nothing more than cause and effect... US bombs a wedding reception, hospital, school or embassy (only in the pass 5yrs) and you'll breed contempt(even if done by accident)... not really a conspiracy... just human nature to retaliate for a wrong done against them... oh course two wrong don’t make a right.. but it helps explains why

RE: Did the US go to war with Iran...
By semiconshawn on 7/13/2012 2:49:18 AM , Rating: 2
There is no moral high ground in war you idiot. We are at war with Iran. It's called cold war. Nobody declares. Everybody understands.....well not everybody.

RE: Did the US go to war with Iran...
By MechanicalTechie on 7/13/2012 3:07:42 AM , Rating: 2
Oh course there is a moral high ground.. its the different between a pariah state and one that acts in self defence. War should be avoided at all cost, no one wins in a war only different levels of loss... if you had a better grasp of history you would know that! And if you think breaking international laws and US law is acceptable then clearly your the idiot.

RE: Did the US go to war with Iran...
By Digimonkey on 7/13/2012 1:02:08 PM , Rating: 2
It could be argued this is to prevent war, at least war in a traditional sense. If Iran developed nuclear weapons and threatened to use such nuclear weapons, I doubt the US could stay out of it.

By dark matter on 7/14/2012 5:04:52 PM , Rating: 2
So you start a war to prevent one.

Yup, that makes sense.

By martyrant on 7/13/2012 9:48:54 AM , Rating: 3
Mechanic is right, it would do everyone well to learn about the real history of this country rather than the one force fed you through institutions. There are many, many books that are no longer even in print because history is actively suppressed int his country. Take Ferdinand Lundberg for example. He first blew the whistle on William Hearst in 1936 with "Imperial Hearst". He has several other books, two of which are pretty good historical accounts of the US and world elites. The Rich and the Super Rich is 800 pages of how this country was really formed. Another good one of his is Cracks in the Constitution. I find it funny how people tout their constitutional rights on their shoulders, when in reality they have meant a whole lot of nothing for as long as they've really been around. Both are out of print, get them from a library if you can or find a used copy and set your mind free ;)

I am not a liberal or conservative, I do not believe in bipartisanship as it is only created to make us fight among ourselves and ignore the real issues. I have a set of moral values and they do not fall into the definition of democratic or republican. Until the American people realize we are being pitted against each other and that those in power (behind the pawn of a president) never change seats we will never be able to, to quote RAtM, band together and "take the power back."

RE: Did the US go to war with Iran...
By ZorkZork on 7/14/2012 9:39:39 PM , Rating: 2
Grow up. Covert fighting like this happen all the time. It happened during the cold war and stuff like this has been going on as far back as anyone can remember. And actually a covert war like this is preferable over a "hot war" for most people:

- The US does not loose any soldiers on this and relations to middle eastern countries are not strained (as they would be if the war became hot)..

- The Iranian population does not suffer the consequences of hot war (take a look at Iraq to see the consequences). Consequences are mainly felt by the Iranian leadership, nuclear program and military.

- The world as a whole greatly opposes a hot war as it would send oil prices through the roof.

Of course to some real war might further their causes:

- The Iranian leadership could use some kind of hot war (nothing too big though) to rally the people and to silence their internal opponents.

- Israel would most likely prefer action that would cripple Iran as that would seriously reduce Iranian influence in the rest of the region.

- Most governments in the mid east share the Israeli view but cannot voice it openly as the general public in most countries will support Iran if the war becomes hot.

By Nosebleeder on 7/14/2012 11:39:51 PM , Rating: 2
So how would the US re-act if Iran was behaving the same way?

You Americans reek of double standards, half the world sees you as corrupt, war mongering people, with no honor or dignity... specially if your 'national interest' in oil is involved.

But i guess they are all wrong.. Americans are always right

"The whole principle [of censorship] is wrong. It's like demanding that grown men live on skim milk because the baby can't have steak." -- Robert Heinlein

Most Popular ArticlesAre you ready for this ? HyperDrive Aircraft
September 24, 2016, 9:29 AM
Leaked – Samsung S8 is a Dream and a Dream 2
September 25, 2016, 8:00 AM
Inspiron Laptops & 2-in-1 PCs
September 25, 2016, 9:00 AM
Snapchat’s New Sunglasses are a Spectacle – No Pun Intended
September 24, 2016, 9:02 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki