The warnings have been substantial, but many companies are nonetheless holding their breath awaiting potential fallout from Microsoft's end of support for certificate encryption keys of less than 1,024 bits. Any such "short" certificates on a network can cause server-to-server communications to fail, thereby causing at least parts of the network to grind to a halt. The move towards longer keys is expected to greatly enhance security, especially after bugs such as the Flame malware exploited short keys in order to gain access to systems.
"Basically, the attackers are going after PKI [public key infrastructure] and the related certificates," said Paul Turner vice president of product strategy at Venafi. "They are attacking certificates and private keys. These are at the center of the target because they're thinking 'These things are trusted. If we can break them, we can gain access to all kinds of other controls.' So, with this higher focus from the attackers, organizations need a much better posture with their key certificates. And frankly, most organizations do not have a complete inventory."
Turner said that ongoing assistance with this issue represents a major service opportunity for channel partners. The issue, he claims, is twofold: one involves the practical matter of replacing short certificates, and the other is determining the key length of certificates, in general.
"A lot of organizations do not have an accurate inventory of all the keys and certificates, so a lot of them aren't even sure if they have keys that short," he said. "These keys and certificates are, in effect, identity cards for your systems. Once they have finished the inventory, they need to be able identify who within the organization owns those systems, because if they have a big problem, or if they find out less than 1,024 bit certificate, they need to know who to go to. And if your organization has 100,000 certificates, this can be a challenge."
Turner recommends that organizations do two types of discovery. The first is the network-level discovery that connects to each system and queries the certificate. The second method is a manual follow-up because some of the certificates are not visible on the network, and they can only be discovered using an agent or similar tool.
Turner noted that National Institute of Standards and Technology instructed that all organizations eliminate short keys at the end of 2010, but then extended that date to the end of 2013 because many companies simply did not have the necessary inventories available for review. It is anyone's guess as to how many 1,024 bit keys are currently in use, but the numbers will become more obvious over the next few days.
This risk also applies to SSH keys. "But, since SSH keys don't expire, many people have it replace them, so they will have even 768- or, in some cases, 512-bit keys out there for SSH. And that's a big risk," Turner said.
Venafi offers a product with which to conduct that discovery, and itemize the inventory. It also provides free software for an initial risk assessment.
PUBLISHED OCT. 9, 2012