Summary of the Microsoft® Update
Microsoft released a critical update (KB 2661254) on August 14, 2012, which ended support for all encryption keys less than 1024 bits in length. Shorter keys are now more vulnerable to brute force attacks given the processing power of today’s computers.
After applying Microsoft’s update, all digital certificates with keys less than 1024 bits were treated as invalid.
How did this update affect the Pharos products?
This Microsoft update may have caused interruption of Pharos services for the following products:
- Blueprint Enterprise™5.0
- Pharos Uniprint 8.3
- Pharos MobilePrint 1.2
All versions of Pharos software (with lower version numbers than those shown above) were not affected by this Microsoft Update.
To prepare for this Microsoft update, Pharos developed, tested and made available hotfixes for the relevant products that will increase the encryption key length to 1024 bits.
What you should do
To mitigate the impact of this update, you can either apply the Pharos hotfix files (recommended) or you can modify a Microsoft registry key to specify the size of keys that are blocked. This can be applied to all current Pharos versions.
How to verify your version
For Uniprint 6.x to 8.x and Blueprint
1. Open Pharos Administrator.
2. From the Help menu choose "About Pharos Administrator" to view installed Product Version.
Option 1 - Applying Pharos Hotfix Files (Recommended)
Hotfix files are available for the appropriate Pharos products.
Important note: Applying the hotfix files is suitable for sites running the Final release versions of the appropriate Pharos products. For sites running Uniprint 8.3 Controlled Release (8.3.7182) and MobilePrint 1.1 (184.108.40.206212), please see Option 2. Once the site has been upgraded to the general release, the Pharos Hotfix files can be applied and the registry key will no longer be needed.
These hotfixes can be downloaded from the Pharos website https://support.pharos.com by selecting from the appropriate Downloads link on the left menu.
Blueprint Enterprise 5.0 Service Pack 2
Uniprint 8.3 Revision 174 (includes Mobileprint 1.2)
Refer to the accompanying readme file for instructions on how to apply the patches/hotfixes.
Option 2 – Modifying the Microsoft Registry Key
Alternatively, you can modify a registry key in Windows to allow 512 key bits and to block all keys less than 512 bits. This option is suitable for sites running Uniprint 8.3 Controlled Release (8.3.7182) and MobilePrint 1.1 (220.127.116.11212) as there is no hotfix file available for the Controlled Release version.
For each server in the system, the following steps should be followed.
1. Open a command prompt with local administrator privileges.
2. Run the following command from C:\Windows\System32.
Certutil-setreg chain\minRSAPubKeyBitLength 512
3. If successful, you should see the following message:
minRSAPubKeyBitLength REG_DWORD = 200 (512)
CertUtil:-setreg command completed successfully
The CertSvc service may need to be restarted for changes to take effect.
You can disregard the message "The CertSvc service may need to be restarted for changes to take effect."
If Pharos can be of any further assistance to you in this matter, please join this conversation or contact Pharos support (http://support.pharos.com) for personal assistance.