Skip to content

Commit

Permalink
win: document and discourage RSA key script #363
Browse files Browse the repository at this point in the history 
This commit improves the documentation of RSA key handling script and
changes its recommendation level to address potential issues with
Hyper-V (as reported in #363).

Changes:

- Add documentation to describe potential disruptions caused by stronger
  RSA key requirements.
- Move RSA key script from 'Standard' to 'Strict' due to its impact on
  Hyper-V VMs.
- Use bullet points for easier expansion in cautions of secret key
  hardening scripts.
  • Loading branch information
@undergroundwires
undergroundwires committed May 22, 2024
1 parent ff3d5c4 commit f347fde
Showing 1 changed file with 13 additions and 9 deletions.
22 changes: 13 additions & 9 deletions src/application/collections/windows.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7120,8 +7120,8 @@ actions:
latest guidelines and practices.

> **Caution**:
> Using bigger keys increases security but may not work with some old or less secure apps.
> This can make your device slower and drain the battery faster.
> - Using bigger keys increases security but may not work with some old or less secure apps.
> - This can make your device slower and drain the battery faster.
children:
-
name: Enable strong Diffie-Hellman key requirement
Expand All @@ -7144,8 +7144,8 @@ actions:
This script hardens your system's security by using keys of adequate strength, following best practices.

> **Caution**:
> Using bigger keys increases security but may not work with some old or less secure apps.
> This can make your device slower and drain the battery faster.
> - Using bigger keys increases security but may not work with some old or less secure apps.
> - This can make your device slower and drain the battery faster.

[1]: https://web.archive.org/web/20240402105325/https://learn.microsoft.com/en-us/security-updates/securityadvisories/2016/3174644 "Microsoft Security Advisory 3174644 | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240402112853/https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings "Transport Layer Security (TLS) registry settings | Microsoft Learn | learn.microsoft.com"
Expand All @@ -7159,8 +7159,8 @@ actions:
algorithmName: Diffie-Hellman
keySizeInBits: 2048
-
name: Enable strong RSA key requirement
recommend: standard # Microsoft deprecated it and will end support
name: Enable strong RSA key requirement (breaks Hyper-V VMs)
recommend: strict # Microsoft deprecated it and will end support; but breaks Hyper-V VMs, see #363
docs: |- # refactor-with-variables: Same • Caution • handshake
This script improves your security by enforcing a minimum of 2048 bits for RSA encryption keys (`PKCS` [1] [2]).
RSA encryption keys play a crucial role in securing communications over the internet.
Expand All @@ -7179,17 +7179,20 @@ actions:
These entities, including the Federal Office for Information Security (BSI) in Germany [2] and the National Institute of Standards
and Technology (NIST) in the USA [4] [5], now recommend the use of keys that are 2048 bits or longer.
RSA key exchanges of 2048 bits or are widely accepted.

In 2012, Microsoft deprecated 1024-bit RSA keys for their applications [5] [6] and will end support for them in
Windows by March 2024 [3].

While 2048-bit keys balances security with efficiency [7], a shift towards stronger 4096-bit RSA keys is emerging.
Projects like Debian [8], Fedora [9], and CaCert.org [10] use larger keys for long-term tasks.

This script helps to protect the privacy and integrity of your data.
However, this script disrupts connections to Hyper-V virtual machines, which still require 1024-bit keys [11].
It does not affect other virtual environments such as Docker, WSL, or Windows Sandbox [11].

> **Caution**:
> Using bigger keys increases security but may not work with some old or less secure apps.
> This can make your device slower and drain the battery faster.
> - The script prevents access to Hyper-V VMs.
> - Using bigger keys increases security but may not work with some old or less secure apps.
> - This can make your device slower and drain the battery faster.

[1]: https://web.archive.org/web/20240403064025/https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings?tabs=rsa "Transport Layer Security (TLS) registry settings | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
Expand All @@ -7201,6 +7204,7 @@ actions:
[8]: https://web.archive.org/web/20240402105239/https://wiki.debian.org/Keysigning#Step_1:_Create_a_RSA_keypair "Keysigning - Debian Wiki | wiki.debian.org"
[9]: https://web.archive.org/web/20240402105244/https://fedoraproject.org/security/ "Fedora keeps you safe | The Fedora Project | fedoraproject.org"
[10]: https://web.archive.org/web/20240402112840/http://www.cacert.org/policy/CertificationPracticeStatement.html#p6.1.5 "Certification Practice Statement (CPS) | cacert.org"
[11]: https://web.archive.org/web/20240519131322/https://github.com/undergroundwires/privacy.sexy/issues/363 "Hyper-V VM connection issues after running \"Standard\" · Issue #363 · undergroundwires/privacy.sexy"
call:
function: RequireTLSMinimumKeySize
parameters:
Expand Down

0 comments on commit f347fde

Please sign in to comment.