Third-party tools are needed to assess certificates not included in Microsoft's CAPI

Oct 10, 2012 08:30 GMT  ·  By

Microsoft has officially restricted the use of digital certificates signed with private keys that are less than 1024 bits in length. Experts warn companies that rely on Windows operating systems that they need to identify and replace these weak encryption keys to avoid data breaches and critical application outages.

Venafi, an Enterprise Key and Certificate Management (EKCM) solutions provider, advises organizations to immediately replace these security elements because the risk of certificate-based malware attacks that could seriously disrupt businesses has increased.

Venafi representatives warn that the update released by Microsoft doesn’t address the weak key certificates that are not included in the CryptoAPI environment. The security risks posed by these weak keys need to be addressed by utilizing third-party solutions.

Companies unable to precisely analyze the digital certificates deployed in their networks can turn to Venafi’s free risk assessment tool which automates key and certificate discovery and provides detailed information.

The MD5 Certificate Assessor could be successfully utilized to determine the number of keys, their lengths, certificate expiration dates, and the details of certificate authorities.

“The risks are no longer hypothetical. MD5 certificates were the open door that allowed Flame to penetrate networks and gather information. Microsoft closed their door by issuing a security patch,” said Jeff Hudson, Venafi’s CEO, when the MD5 Certificate Assessor was released to the public.

Back in August, Venafi and the National Institute of Standards and Technology (NIST) released a study called “Preparing for and Responding to Certificate Authority Compromise and Fraudulent Certificate Issuance.”

The report highlights the fact that certificate authorities have become tempting targets for cybercriminals in the past period. That’s why the NIST decided that it would be a good time to warn organizations of the risks posed by fraudulently issued certificates.