Main Nav

MS will release their Update for Minimum Certificate Key Length to WSUS next month. I'm curious about any special preparations anyone may have taken to identify certs within their domains that may not meet the new minimum key length standard (1024). Embedded devices, if using SSL, come to mind as a potential source of problems. Also, is anyone briefing their Help Desk staff on how to respond to callers who report that they can't connect to sites because of the new requirement? It's hard to tell how much is going to break with this update. Marty -- Martin Manjak CISSP, GIAC GSEC-G Information Security Officer University at Albany MSC 209 518/437-3813 The University at Albany will never ask you to reveal your password. Please ignore all such requests.

Comments

Marty,

I emailed our server admins asking them to go through all their server certs to make sure they were o.k.. We found a couple on admin interfaces for commercial software. 

I also notified out techs that they may be seeing issues out in the field. I have not talked to our help desk yet. 

It is hard to tell how big of deal this will become.


Mike Hanson, CISSP
Network Security Manager
The College of St. Scholastica
Duluth, MN 55811






I notified folks I thought would have embedded devices such as alarm systems, lab equipment, environmental controls, vending, and networking. I don't know what common vendor practice is or has been with self signed certificates but many systems come with them by default and older ones might default to a small key size. Hanson, Mike wrote: > Marty, > > I emailed our server admins asking them to go through all their server > certs to make sure they were o.k.. We found a couple on admin interfaces > for commercial software. > > I also notified out techs that they may be seeing issues out in the field. > I have not talked to our help desk yet. > > It is hard to tell how big of deal this will become. > > > Mike Hanson, CISSP > Network Security Manager > The College of St. Scholastica > Duluth, MN 55811 > > > > > > >

Marty:

 

We use a vulnerability scanner from Digital Defense on our server VLANs.  This scanner notes the certs it sees on each server along with other information related to vulnerabilities.  We were able to discover several certs that had key length less than 1024 bits by going through the scan results.  We then notified server administrators of the indicated servers.  We expect to do follow up on remediation.

 

David Lundy

 

------

David Lundy

Assistant IT Security Officer

Office of Information Technology

University of the Pacific

Stockton, CA 95211

Email: dlundy@pacific.edu

Voice: 209-946-3951

Fax: 209-946-2898

 

 

 

A resource to check sites is available @ http://www.digicert.com/help/
It will check against the length requirement, Debian key vulnerability,
expiration date and if the cert is installed correctly.
 
la

 
Louis Aponte
Weber State University
 
On 9/12/2012 at 12:53 PM, in message <5050DA44.9090709@albany.edu>, Martin Manjak <mmanjak@ALBANY.EDU> wrote:
MS will release their Update for Minimum Certificate Key Length to WSUS
next month.

I'm curious about any special preparations anyone may have taken to
identify certs within their domains that may not meet the new minimum
key length standard (1024).

Embedded devices, if using SSL, come to mind as a potential source of
problems.

Also, is anyone briefing their Help Desk staff on how to respond to
callers who report that they can't connect to sites because of the new
requirement?

It's hard to tell how much is going to break with this update.
Marty

--

Martin Manjak
CISSP, GIAC GSEC-G
Information Security Officer
University at Albany
MSC 209 518/437-3813

The University at Albany will never ask you to reveal your password.
Please ignore all such requests.
Message from jcampbell@fgcu.edu

I haven't tried it yet, but it looks like nmap should be able to handle this task as well.  The –sV scan option can identify SSL services and then it looks like you can use this NSE script to check key length on the hosts you identified:
-- 
Josh Campbell
Systems Administrator
Business Technology Services
Florida Gulf Coast University
Griffin Hall 129
239-590-1235

Never give out your username or password to anyone.

From: David Lundy <dlundy@PACIFIC.EDU>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY@LISTSERV.EDUCAUSE.EDU>
Date: Wednesday, September 12, 2012 4:18 PM
To: "SECURITY@LISTSERV.EDUCAUSE.EDU" <SECURITY@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [SECURITY] Any special preparations in anticipation of KB2661254 (Key Length) patch?

Marty:

 

We use a vulnerability scanner from Digital Defense on our server VLANs.  This scanner notes the certs it sees on each server along with other information related to vulnerabilities.  We were able to discover several certs that had key length less than 1024 bits by going through the scan results.  We then notified server administrators of the indicated servers.  We expect to do follow up on remediation.

 

David Lundy

 

------

David Lundy

Assistant IT Security Officer

Office of Information Technology

University of the Pacific

Stockton, CA 95211

Email: dlundy@pacific.edu

Voice: 209-946-3951

Fax: 209-946-2898

 

 

 

Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.