What are the risks of still using a 1024-bit certificate in a private network?

Question

One of our colleagues ran a Qualys scan on an internally used product and found that the product still uses 1024-bit certificates for its modules to communicate with each other. The vendor says that this issue will be targeted in a future release (a few months at the least).

I read a few links (Symantec FAQ and a very informative blog post) about the risks.

Since the product is used in a private network, I am of the opinion that we shouldn't worry about the certificate issue a lot. It is less likely for a hacker to be aware of such a product unless he/she is an insider. The weak certificate can definitely lead to leaked cipher suite and in turn leak the entire communication. I wouldn't deny that. My stance depends on the assumption that the attacker doesn't have access to the internal network.

I would like to know from the community what are the other scenarios that I am not considering here.

Answer 1

If I understand your scenario correctly:

• You're talking about a security mechanism that relies on signatures made by 1024-bit RSA keys.
• You have a relatively easy way of deploying updated certificates and revoking the old ones. It's a matter of days, maybe months, but certainly not years.

The public record for breaking RSA is a 768-bit key. Nation-states might be willing to expend more effort to go further, but 1024-bit keys still are out of reach by publicly known methods.

Under these assumptions, there is no meaningful security risk of using 1024-bit certificates (except maybe if you're worried about nation-state attackers, but even then RSA key size are not your biggest worry). There is a risk of non-compliance, because compliance rules tend to address scenarios that are not as favorable as yours (deployments to third parties that you can't realistically force to update, embedded devices that simply can't be updated, etc.).

Answer 2

First and foremost, Qualys probably alerts you because as of January 1, 2014 the Certification Authority/Browser (CA/B) Forum required that certificates issued after this time frame MUST be at least 2048-bit key length.

The answer to your question comes down to a administrative decision about what risk the company is willing to take/assume. Starting with the assumption that anything and everyone will be hack, an attacker inside the network (e.g. through an advanced persistent threat) trying to decrypt a 2048-bit certificate will have a harder time versus a 1024-bit cert. That's not new news, but by being able to take advantage of the SSL certificate it can encrypt internal malicious traffic, such a c&c network calls, that might not be caught with regular firewalls or Network IPS tools. Additionally, if this certificate is use across multiple services, such as security tools themselves, the attacker could tamper with data or take controls of the agent providing the security controls.

My recommendation is that you and your team go through a small threat modeling exercise to decide whether this risk should be mitigated, transferred, or simply accept it as is.