Skip to content

Enterprise Mobility + Security


(This blog post was first published on the RMS team blog in March 2012.)

One of the more significant updates to AD RMS that has occurred over the past year is the support for a new advanced mode of operation that supports enhanced cryptography.  This support was added with Service Pack 1 for Windows 2008 R2 and is now being made available in Windows Server “8” Beta as well.

The new cryptographic mode support for AD RMS enables you to increase the cryptographic strength of your AD RMS deployment by running in an advanced mode known as “Cryptographic Mode 2′. What value does this mode 2 offer you? Running AD RMS in this updated mode provides a cryptographic implementation that supports enhanced encryption as well as longer cryptographic keys. For example, in mode 2 operation, RSA encryption is enhanced from 1024 bit encryption to 2048 bit encryption. Also, hashing is enhanced from using SHA-1 (128 bits) to SHA-256 (256 bits).

The value of this enhanced cryptography in AD RMS is that it can be part of enabling your organization to satisfy regulatory compliance with current security standards that are set by the National Institute of Standards and Technology (NIST). Starting January 1, 2011, NIST issued Special Publication 800-57 which recommends the use of 2048-bit RSA keys. United States Federal agencies are required to comply with NIST recommendations and many private enterprises and other countries may choose to implement this recommendation. To learn more, see NIST Special Publications (http://csrc.nist.gov/publications/PubsSPs.html).

To enable the use of this new Cryptographic Mode 2 in your AD RMS deployment, all computers that host either AD RMS server or client software must be patched and updated. To find out more about how to approach updating your deployments to support mode 2 operation, see Active Directory Rights Management Service Cryptographic Modes.(http://go.microsoft.com/fwlink/p/?LinkID=241989).

Note While the AD RMS cryptography update described here offers backwards compatibility for content that was previously protected using 1024-bit length keys, this compatibility is only available for clients mentioned in this article that have currently released updates which provide this support. At present, no client updates for this enhacned cryptography are available for RMS clients running under Windows XP.