Microsoft and many other software vendors can readily update the rules under which they accept certificates, he
says. It may not be that easy to alter the rules used by custom applications, and in some cases IT security pros
may not recall all the places where smaller key sizes are used. "That box just works and nobody thinks about it,"
he says. "A lot of cases will be, 'Oh, we forgot,' or 'We don't know how to upgrade that cert."
Dealing with such cases manually will require time and money, he says. In addition to changing settings, some
hardware may need to be replaced because larger keys sap more processing power. On maxed-out machines, the added
computation could cause unacceptable delay.
Overall, though, the transition should be more of an annoyance than anything else, Pironti says. As certificates
issued to businesses expire, they are generally replaced with certs using longer keys, he says, so there might not
be so many that remain in use.
There are commercial tools for finding and automatically replacing certificates that are too short, Pironti
says. Among them is Director made by Venafi, which contributed to the latest NIST Information Technology Laboratory
bulletin on certificate authority compromise
and fraudulent certificates.
NIST currently has set a deadline of Dec. 31, 2013 for when entities ought to stop using 1024-bit RSA and DSA
encryption. "However, since such keys are more and more likely to be broken as the 2013 date approaches, the data
owner must understand and accept the risk of continuing to use these keys to generate digital signatures,"
according to a special publication called "Transitions: Recommendation for Transitioning
the Use of Cryptographic Algorithms and Key Lengths" published in 2011.
Microsoft is updating its operating systems in the wake of the Flame malware used to spy on networks in Iran.
Flame exploited Micrsoft's use of the MD5 hashing algorithm in authenticating Windows Update. Microsoft officially
disallowed its use in 2009 but failed to weed it out of its own products, particularly Terminal Server Licensing
Service. Researchers figured out how to compromise MD5 using what they call collision attacks to obtain fraudulent
certificates that are accepted as real.
Since Flame was publicized, Microsoft has started a campaign not only to shut down use of MD5 but also beef up
other areas that have not fallen victim to attackers.