Cryptographic Breakage: Windows 11 Update Disrupts RSA Signing Operations

Developers are reporting critical failures in .NET applications following the installation of Windows 11 update KB5064081, specifically when using the RSA.SignHash method with 384-bit keys and the SHA-1 algorithm. The issue, documented in a public GitHub issue (#52) against Microsoft's SymCrypt cryptographic library repository, manifests as unexpected exceptions during signing operations that previously functioned correctly.

The Technical Breakdown

The core failure occurs within the underlying SymCrypt library, which handles cryptographic primitives for Windows. The reporter (mesa57) provided a VB.NET console application demonstrating the failure scenario:

' Simplified representation of failing operation
Dim rsa As RSA = RSA.Create()
rsa.KeySize = 384 ' Specific problematic key size
Dim dataHash As Byte() = ComputeSHA1Hash(data) ' Using SHA-1
Dim signature As Byte() = rsa.SignHash(dataHash, HashAlgorithmName.SHA1, RSASignaturePadding.Pkcs1) ' Throws exception post-update

Key characteristics of the failure:
1. Specific Parameters: The crash occurs exclusively with RSA keys of 384-bit length combined with the SHA-1 hashing algorithm.
2. Update Correlation: The issue emerged immediately following the installation of the Windows 11 update KB5064081, strongly implicating changes within the OS-level cryptographic modules.
3. Impact Scope: While SHA-1 is deprecated for many security-sensitive uses, the reporter emphasized its critical role in their application, stating that forcing changes to key sizes or algorithms "would affect thousands of users." This highlights the challenge of maintaining legacy cryptographic interoperability in complex systems.

Why This Matters Beyond the Immediate Crash

This incident underscores significant risks in the software supply chain and dependency management:

• Silent Breakage: A routine OS security update inadvertently broke a specific, but valid, cryptographic operation in dependent applications. This demonstrates how opaque changes in underlying system libraries can have unforeseen consequences.
• Legacy Algorithm Challenges: While moving away from SHA-1 is advisable for security reasons, real-world applications often rely on established protocols and hardware constraints. Forced, unexpected breaks create significant migration burdens. This incident highlights the tension between security hardening and backward compatibility.
• Diagnostic Difficulty: Developers faced with such exceptions must trace failures deep into OS-level cryptographic providers, a complex debugging task far removed from their application code.

Microsoft's Response and Path Forward

Microsoft engineers have acknowledged the issue on GitHub and applied the fix-pending-publication label, indicating a resolution has been implemented internally in Azure DevOps and is awaiting deployment to the public Windows update channel. This suggests a fix will be delivered via a future cumulative update. Developers encountering this specific failure pattern should monitor Windows Update releases for the patch. In the interim, testing system rollback of KB5064081 (if feasible and secure) or exploring temporary cryptographic provider redirection might be considered, though these are not ideal solutions.

The resolution of this specific bug highlights the continuous challenge of maintaining the intricate, interdependent layers of modern cryptographic infrastructure without disrupting the applications built upon it.