Microsoft Security Advisory 3174644

Updated Support for Diffie-Hellman Key Exchange

Published: September 13, 2016

Version: 1.0

Executive Summary

Microsoft is providing updated support to enable administrators to configure longer Diffie-Hellman ephemeral (DHE) key shares for TLS servers. The updated support allows administrators to increase the size of a DH modulus from the current default of 1024 to either 2048, 3072, or 4096.

Note: All versions of Windows 10 support the new DH modulus settings and use 2048 as the DH modulus default setting.

What is the scope of the advisory? 
The purpose of this advisory is to inform customers that Microsoft is providing updated support to enable administrators to configure longer Diffie-Hellman ephemeral (DHE) key shares for TLS servers.

What does the updated support for DHE key shares provide? 
The current size modulus in the DHE key exchange implementation is 1024 bit. This updated support enables administrators to configure a modulus size of 2048, 3072, or 4096.

Is this a security vulnerability that requires Microsoft to issue a security update? 
No. However, enabling administrators to configure longer DHE key shares can increase security for the TLS servers that they manage.

Why is Microsoft enabling administrators to configure longer DHE key shares for TLS servers? 
Enabling administrators to configure longer DHE key shares for TLS servers will facilitate implementing groups 14, 15 and 16 (RFC3526) that correspond to 2048, 3072 and 4096 as the default minimum security standard on TLS servers.

Administrators can change the size of the modulus by adding the registry key value in the following procedure. If the key value is absent, the default of the modulus remains 1024 bit. The following example sets the modulus size to 2048 bit. Valid key values are decimal: 1024, 2048, 3072 and 4096.

To change the default size of the modulus:

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

  1. Open Registry Editor.
  2. Access the following registry location:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
    
  3. Update the following DWORD value to:
    "ServerMinKeyBitLength"=dword:00000800
    

Additional Suggested Actions

  • Protect your PC

    We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. For more information, see Microsoft Safety & Security Center.

  • Keep Microsoft Software Updated

    Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed.

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.

Feedback

Support

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (September 13, 2016): Advisory published.
Page generated 2016-09-07 09:16-07:00.
Show: