Last month, Microsoft has released KnowledgeBase article 2862966 An update is available that improves management of weak certificate cryptographic algorithms in Windows as a helping hand to administrators to indicate and/or eradicate the use of weak cryptographic algorithms in their networking environments.
Microsoft has implemented newer and stronger cryptographic algorithms into Windows over the years to accommodate the security needs of IT administrators and application developers. However, legacy hash algorithms and certificates using them may still pose a significant security risk to the networking infrastructure, when malicious people want to wreak havoc on it, because often the old weak algorithms are still in use. Through exploit(kit)s, malicious people may retrieve passwords and other critical information to your infrastructure, because these kinds of encryption can be bypassed or decrypted in a matter of minutes with todays hardware.
To Windows 8.1 and Windows Server 2012 R2, Microsoft has added functionality, that provides greater control over RSA keys, hash algorithms, and non-RSA asymmetric key algorithms. This way, an administrator may:
- Define policies to selectively block cryptographic algorithms that override settings provided by the operating system.
- Opt-in or opt-out of each policy independently.
- Enable logging per policy (independent of other policies). Logging is off by default.
- Specify a location to which blocked certificates are copied.
- Set policies per algorithm and define hash algorithm policies and asymmetric algorithm policies
Now, an update is available for Windows versions prior to Windows 8.1 and Windows Server versions prior to Windows Server 2012 R2 with the same functionality as part of Microsoft KnowledgeBase article 2862966.
On these Windows Operating System versions you must install this update before you install security update 2862973 Microsoft Security Advisory: Update for deprecation of MD5 hashing algorithm for Microsoft root certificate program: August 13, 2013.
Windows Update will not offer this security update to Windows RT-based computers until update 2808380 Windows RT-based device cannot download software updates or Windows Store apps is installed.
This functionality includes setting minimum key sizes for asymmetric algorithms such as RSA, DSA, and ECDSA, and blocking the use of weak hashing algorithms such as MD5, in advance of Microsofts complete blocking of the MD5 hashing algorithm for Microsoft root certificates in April 2014.
Installing the update
Now, to use this functionality, install the update, corresponding to the Windows Operating Systems in use within the networking environment:
- Security Update for Windows Vista x86
- Security Update for Windows Vista x64
- Security Update for Windows Server 2008 x86
- Security Update for Windows Server 2008 x64
- Security Update for Windows 7 x86
- Security Update for Windows 7 x64
- Security Update for Windows Server 2008 R2 x64
- Security Update for Windows 8 x86
- Security Update for Windows 8 x64
- Security Update for Windows Server 2012 x64
Using the functionality
On the command line
On Windows 8.1, Windows Server 2012 R2 and on prior Windows versions with the update applied, you can now block the cryptographic algorithm using certutil.exe.
As an example, the following command line disables MD5 for all SSL server authentication certificates under third-party root Certification Authorities (CAs), but allows signed binaries before March 1, 2009 to be accepted. This does not apply to other Server Authentication Enhanced Key Usages (EKUs). Logging is enabled.
Certutil -setreg chain\WeakMD5ThirdPartyAfterTime @1/1/2010
Through the registry
The above command will create a registry value to set the cryptographic algorithm blocking policies in the following registry key:
In this case, the result is a REG_Binary value in the above Registry key with the name WeakMD5ThirdPartyAfterTime and value data representing the time flag and options.
Through Group Policy
Now that you have the registry values and value data you need, you can use Group Policy Preferences to distribute this information to targeted Windows machines.
More information on auditing, logging and blocking of cryptographic algorithms can be found on the TechNet page on Protecting Against Weak Cryptographic Algorithms.
When you want to protect your networking infrastructure from attacks through weak cryptographic algorithms like MD5 and SHA-1 or want to set a minimum bit length for RSA, DSA and/or ECDSA certificate encryption, install the update from Microsoft KnowledgeBase article 2862966 (except for Windows 8.1, Windows Server 2012 R2 and beyond) and roll out your auditing, logging and/or blocking policies.
Related KnowledgeBase articles
2862966 An update is available that improves management of weak certificate cryptographic algorithms in Windows
2862973 Microsoft Security Advisory: Update for deprecation of MD5 hashing algorithm for Microsoft root certificate program: August 13, 2013
2808380 Windows RT-based device can’t download software updates or Store apps
841290 Availability and description of the File Checksum Integrity Verifier utility