KB2661254: August Security Release Cycle Will Block RSA Keys Under 1024 Bits – Impact to SCUP 2011

Microsoft recently released a security update to block RSA keys that are less than 1024 bits: KB2661254 https://technet.microsoft.com/en-us/security/advisory/2661254

This update is now released to download center only and not yet be enforced to MU. So customers have some time to review all their certificates used and see if they meet the key length requirement.

System Center Update Publisher requires a certificate to sign the 3rd party updates and that certificate need to be trusted by all the WU Agent clients. We support two ways to create this signing certificate: Create one from an existing Public Key Infrastructure or create a self-sign certificate through SCUP console. The later one will call WSUS API to create the self-sign certificate.

https://blogs.technet.com/b/jasonlewis/archive/2011/07/12/system-center-updates-publisher-signing-certificate-requirements-amp-step-by-step-guide.aspx shows the step to create a certificate from windows PKI. It mentions the minimum key size is 2048.

Every modern security algorithm can be cracked by brute force. It’s just a matter of the time. When the key length is longer enough, it can take decades to brute force crack it. Recent research shows: 512 is not a safe key length for RSA, so MS release the update to require key length of 1024. 1024 is safe for now, but with the development of computing capacity, it might not be safe in the future. So if you can control the length, we’d suggest it to be at least 2048.

If you choose to use self-sign certificate through SCUP, then you cannot decide the key length of the certificate you created. WSUS API will decide the key length.

For WSUS 3.0 SP2 without hotfix, the key length will be 512.

For WSUS 3.0 SP2 with hotfix KB2530678 or KB2530709 (the two updates that are pre-requisites for SCUP 2011) or KB 2720211 (the WSUS hardening update which included the KB2530678 and KB2530709), the key length will be 1024.

So check the SCUP signing certificate on your environment, if it’s 512, then you’ll need to re-create it. Otherwise, OS applied KB2661254 (the RSA key block update) will fail to install the 3rd party updates published with SCUP.

You will see the following error in WUAHandler.log (and WindowsUpdate.log):

Failed to download updates to the WUAgent datastore. Error = 0x80096004

0x80096004 means “The signature of the certificate cannot be verified”.

Comments

  • Anonymous
    September 14, 2012
    The comment has been removed

  • Anonymous
    September 14, 2012
    On the local SCCM 2007 server i got this error in the WUAHandler log file. "Failed to download updates to the WUAgent datastore. Error = 0x800b0109."

  • Anonymous
    September 17, 2012
    To Burt: self generated certs created by SCUP cannot be moved between WSUS servers. So your scenario is not supposed to work.

  • Anonymous
    September 25, 2012
    I actually got it to work. I had to republish my SCUP published applications with the new certificate