Crypto Changes in Windows 10 Fall Creators Update
RC4 Disabled and CAPI Features Discouraged
Later this year Microsoft will release the “Fall Creators Update” for Windows 10. This is similar to the “Service Packs” traditionally released as major lifecycle updates for Windows, though Microsoft has eschewed that term recently in favor of more consumer friendly names.
Usually, when we think of software updates we think of new features – but there are also features being removed or “deprecated” (or, officially put on notice) in order to keep the OS modern.
The full list of removals/deprecations are listed on this Microsoft support page, but we have highlighted a few that are relevant to your SSL/TLS configuration or cryptography work.
The following features are “deprecated” in the Fall Creators Update, which means they are “not in active development and might be removed in future releases.”
TLS RC4 Ciphers Disabled By Default
RC4 – an encryption cipher which has been broken for quite a while – will be disabled by default. Presumably this means the cipher will still be available for ‘compatibility.’
All modern browsers have disabled RC4, so it has been unusable on updated machines for some time. Even Cloudflare disabled it network-wide more than 2 years ago and at that time only 1 millionth of one percent of requests to their network was using it.
CAPI RSA/AES Provider Deprecated
The title for this one reads “RSA/AES Encryption for IIS” and the description says “we recommend that users use CNG encryption provider.”
This is rather poorly worded and its meaning may not be immediately obvious to those that are not familiar with Windows’ APIs. There is more than one API that can be used to implement crypto functions and in this update some features are being deprecated in an older API.
CAPI, or Crypto API, is the aging API where AES/RSA functionality is being discouraged.
CNG (Cryptography API: Next Generation) is CAPI’s successor, first introduced in Vista, and recommended if you want to work with RSA or AES.
Other Changes
There are some changes to Windows’ Trusted Platform Module (TPM) management features. TPM is a hardware chip that manages certain cryptographic operations. Windows’ TPM Owner Password Management will be removed, while TPM.msc will be replaced in a future version, and TPM Remote Management will be removed in a future version.
Syskey.exe is the only feature mentioned here which is being entirely removed in the update. It is a legacy application intended to be used as an additional security measure to protect user password information. However it is now severely outdated – using the aforementioned RC4 cipher – and does not provide suffcient security. However it has become a tool used by ransomware and other “technical support” scammers and is a liability to keep around. Bitlocker is the recommended modern replacement.
Thanks to Kevin Jones who shared his encyclopedic familiarity with Windows’ cryptography capabilities.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown