RSA keys shorter than 2048 bits will soon be deprecated in Windows

March 22nd, 2024 by Stephen Jones Leave a reply »

Microsoft has announced that RSA keys shorter than 2048 bits will soon be deprecated in Windows Transport Layer Security (TLS) to provide increased security. Rivest–Shamir–Adleman (RSA) is an asymmetric cryptography system that uses pairs of public and private keys to encrypt data, with the strength directly related to the length of the key. The longer these keys, the harder they are to crack.

1024-bit RSA keys have approximately 80 bits of strength, while the 2048-bit key has approximately 112 bits, making the latter four billion times longer to factor. Experts in the field consider 2048-bit keys safe until at least 2030.

RSA keys are used in Windows for several purposes, including server authentication, data encryption, and ensuring the integrity of communications.

“This deprecation focuses on ensuring that all RSA certificates used for TLS server authentication must have key lengths greater than or equal to 2048 bits to be considered valid by Windows.”

Unfortunately, this move will likely impact organizations using older software and network-attached devices, such as printers, that utilize 1024-bit RSA keys, preventing them from authenticating with Windows servers.

While Microsoft has not specified precisely when the deprecation will begin, it will likely involve a formal announcement followed by a grace period, as we saw with the deprecation of keys under 1024 bits in 2012.

During this grace period, Windows administrators can configure logging to determine what devices are attempting to connect using older keys and will be impacted by this change.

Microsoft has decided to limit the scope of impact so as not to affect TLS certificates issued by enterprise or test certification authorities. However, Microsoft strongly recommends that organizations transition RSA keys of 2048 bits or longer as soon as possible as part of following best security practices.


Comments are closed.