| Last updated 29 Dec 2012 |
Microsoft's Essential Digital Certificates
In the Microsoft KnowledgeBase article 293781 there are three certificates listed as neccessary for the correct operation of Windows 7, Windows Vista, Windows Server 2008 R2 and Windows Server 2008 operating systems. Two are for the Microsoft Root Authority (with serial number 00c1008b3c3c8811d13ef663ecdf40 and which expires on 31 Dec 2020) and the Microsoft Root Certificate (with serial number 79ad16a14aa0a5ad4c7358f407132e65 and which expires on 10 May 2021, although the web page says 09 May 2021), and one is for the Thawte Timestamping CA (with serial number 00 and which expires on 01 Jan 2021, although the web pages says 31 Dec 2020).If you open the Windows Certificate store on your PC, the details of these certificates are as follows:
Valid from: 10 Jan 1997 08:00:00
Valid to: 31 Dec 2020 08:00:00
Issuer: Microsoft Root Authority
Serial number: 00c1008b3c3c8811d13ef663ecdf40
Signature algorithm: md5RSA
Public Key: RSA (2048 bits)
Valid from: 10 May 2001 00:19:22
Valid to: 10 May 2021 00:28:13
Issuer: Microsoft Root Certificate Authority
Serial number: 79ad16a14aa0a5ad4c7358f407132e65
Signature algorithm: sha1RSA
Public Key: RSA (4096 bits)
Valid from: 01 Jan 1997 01:00:00
Valid to: 01 Jan 2021 00:59:59
Issuer: Thawte Timestamping CA
Serial number: 00
Signature algorithm: md5RSA
Public Key: RSA (1024 bits)
Valid to: 31 Dec 2020 08:00:00
Issuer: Microsoft Root Authority
Serial number: 00c1008b3c3c8811d13ef663ecdf40
Signature algorithm: md5RSA
Public Key: RSA (2048 bits)
Valid from: 10 May 2001 00:19:22
Valid to: 10 May 2021 00:28:13
Issuer: Microsoft Root Certificate Authority
Serial number: 79ad16a14aa0a5ad4c7358f407132e65
Signature algorithm: sha1RSA
Public Key: RSA (4096 bits)
Valid from: 01 Jan 1997 01:00:00
Valid to: 01 Jan 2021 00:59:59
Issuer: Thawte Timestamping CA
Serial number: 00
Signature algorithm: md5RSA
Public Key: RSA (1024 bits)
When you look at the Certification Path tab for the certificate you will see that all three are Root certificates. Whilst the Microsoft Root Certificate Authority uses the SHA1 algorithm and has a key length of 4096 bits (which might still be acceptable when it expires in 2021), the other two use the MD5 algorithm (which has been cracked) and only the Microsoft Root Authority has the recommended minimum key length of 2048 bits, whilst the Thawte Timestamping CA has a barely adequate key length of 1024 bits. The NIST (the US National Institute of Stanards and Technology) recommends using a minimum key length of 2048 bits from 2011 for RSA encryption.
These certificates cast a light on the difficulty of replacing or upgrading certificates which were issued to cover a time period of some 20 to 25 years without having a clear strategy relating to the introduction of newer algorithms to replace older ones which have been cracked over time. Even if an algorithm is still considered safe, you might want to increase the key length because computers get faster and can be connected for parallel (or grid) computing. This problem is not specific to Microsoft, it applies to all operating systems and has its root in the belief that computer security depends on using a wholly cryptographic appoach, rather than what is practical from a security engineering point of view and with respect to usability.
AllIncontext Limited is registered in England, No
04624520.
Registered office address: 12-14 High Street, Petersfield, Hampshire, GU32 3JG.
