Discovering Usage of Keys under 1024 Bits

Microsoft announced on this blog post

If you are currently working with App-V, SCVMM, Hyper-V, SCCM, or any management environment leveraging certificates, it is important to be made aware of a very important update being released next week.

Next week a security fix will be widely distributed which will prevent use of certificates which use weak (less than 1024 bit) RSA keys. Microsoft will issue a critical non-security update (KB 2661254) for Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. The update will block the use of cryptographic keys that are less than 1024 bits.

They encouraged every IT admin to inventory the usage of keys under 1024 bits before running into troubles. They show on this blog post how to do it.

Here is the powershell way 🙂

  • Method 1: Just browse your certificates stores
Get-Item -Path cert: |             
   ForEach-Object -Process {            
    Get-ChildItem -Recurse -Force -Path $_.PSPath |             
        ForEach-Object -Process {             
            New-Object -TypeName PSObject -Property @{             
                KeySize = $_.PublicKey.Key.KeySize;            
                Path = $_.PSParentPath;            
                'Expiration Date' = $_.NotAfter;            
                'Issued To' =  $_.Subject;            
                'Issued By' = $_.Issuer;            
                Thumbprint =$_.Thumbprint            
            }            
        }            
    } | Where-Object {            
    if ($_.KeySize)            
    {            
        $_.KeySize | Select-String -Pattern  @(4096,2048,1024) -Notmatch            
    }            
}            
  • Method 2: Use the recommended method from Microsoft

# Method 2: Discovering Usage of Keys under 1024 Bits in Cryptographic Operations

# Step1: Enable verbose diagnostic logging.

    # Add a DWORD (32-bit) value DiagLevel with value of 0x00000005
    Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\Crypt32' -Name "DiagLevel" -Type DWORD -Value 5

    # Add a QWORD (64-bit) value DiagMatchAnyMask with value of 0x00ffffff
    Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\Crypt32' -Name "DiagMatchAnyMask" -Type QWORD -Value 0x00ffffff

# Step2: Enable CAPI2 operational logging

    $log = New-Object -TypeName System.Diagnostics.Eventing.Reader.EventLogConfiguration -ArgumentList "Microsoft-Windows-CAPI2/Operational"
    $log.isEnabled = $true
    try {
        $log.SaveChanges()
    } catch {
        Write-Warning -Message "Failed to save changes because $($_.Exception.Message)"
    } 

# Step3: Query the logs

    $XMLquery = @"
    <QueryList>
        <Query Id="0" Path="Microsoft-Windows-CAPI2/Operational">
            <Select Path="Microsoft-Windows-CAPI2/Operational">Event[UserData[CertGetCertificateChain[CertificateChain[ChainElement[PublicKeyAlgorithm[@publicKeyLength='384']]]]] and
            UserData[CertGetCertificateChain[CertificateChain[ChainElement[PublicKeyAlgorithm[@publicKeyName='RSA']]]]]]
            or
            Event[UserData[CertGetCertificateChain[CertificateChain[ChainElement[PublicKeyAlgorithm[@publicKeyLength='512']]]]] and
            UserData[CertGetCertificateChain[CertificateChain[ChainElement[PublicKeyAlgorithm[@publicKeyName='RSA']]]]]]</Select>
        </Query>
    </QueryList>
"@

try {
    Get-WinEvent -FilterXml $XMLquery -ErrorAction Stop
} catch {
    Write-Warning -Message "XML query failed because $($_.Exception.Message)"
}
  • NB1: You must have admin credentials to perform all the above operations, of course.
  • NB2: The above code also shows how to enable and disable event log tracing. I’ve used the following article to achieve it: How to: Configure and Read Event Log Properties
  • Advertisements

    2 thoughts on “Discovering Usage of Keys under 1024 Bits

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s