Phasing out of support for 1024 bit RSA keys

From 1st January 2014, browser and certificate authorities will only be supporting 2048 bit RSA keys and larger. This is for security reasons – the general belief is that 1024 bit RSA keys can be cracked in an unacceptably short time using current technology. To avoid a rush of problems around Christmas, many providers of certificates and online services have already started implementing this change.

The RSA key is used to sign SSL and other security certificates. The impact will potentially be felt in three main areas:

  • your own website security certificates
  • browser-based and other interaction with online services
  • devices such as firewalls and remote access solutions which use certificates

Certificates

Commercial certificates will probably not be a problem since the certificate authorities have only been issuing 2048 bit certificates since mid-2012. If you have a current certificate with a validity of two years or more, you should check whether it is 1024 or 2048 bit signed. But if you are using self-signed certificates, especially generated from older software, you should definitely look closely at them.

Browsers and online services

Online services include offerings such as Google’s Gmail and Microsoft’s Office365. Most browsers should not experience a problem. Any issue that does arise will likely be connected to the browser or OS not having an up to date set of root certificates. Recent operating systems on PCs and phones will automatically update the root certificates as part of system updates or on demand when a certificate chain goes back to an unknown root certificate. However Windows XP prior to SP2 does not do this (or have the correct root certificate).

So if you start getting issues on older systems with sites that used to ‘just work’, this is definitely an area to look at. If you want to test whether a browser is capable of making 2048 bit connections, you can use https://cert-test.sandbox.google.com/.

Devices

The biggest issue is likely to come from devices such as firewalls and other network devices which have embedded certificates that are needed for some or all of their capabilities. In small businesses, these devices typically have a long life and are infrequently updated. So it is very possible that they will have certificates that are not supported after 31st December 2013.

The impact could be as little as a device not being able to collect update information from the vendor, through multifunction printers not being able to email a scan, all the way to a network access device refusing connections.

If you have concerns over how this might affect you, first check the manufacturers’ websites for advisories. If you’re still unsure of your position, contact your IT support supplier or IS People for help.

We’ll also be publishing news articles relating to devices and systems we supply or regularly support so check back here for updates.