1

The Future of SSL Encryption

Created on Sep 17 2014, 9:04 PM by Stefano Rebulla

Most of you reading this will immediately connect the acronym “RSA” with the encryption algorithm invented in 1977 by Rivest, Shamir and Adleman and which is still today the most-adopted in Public Key Infrastructure (PKI) systems, such as SSL. Through a mathematical process that remains ingenious even by modern standards its merits are strong, but the world changes very quickly in technology and the paint on the RSA algorithm is starting to crack. Some RSA key lengths have been successfully broken over the years, and RSA-1024 was deprecated by the industry for Public CA use before any hack could be proven, but it would only have been a matter of time.

Today’s regulations mandate a minimum of 2048 bits for keys in public SSL certificates, but since there is no randomization in the RSA process, continuing advances in the mathematics behind breaking RSA may eventually make attacks on longer key lengths feasible. This will not happen for the foreseeable future to 2048 bit keys, but takes us to the next concern.

ssl-blog.jpg

Our modern lives rely more and more on smaller devices, down to “smartwatches”, but we still expect our data to be kept secure by them as it would be on our traditional computers. Smaller devices pose two problems though. First, they have comparably low computing power, and second they are used in mobility, meaning they rely on batteries to work, making every minute of battery life truly important.

With the increasing key lengths required for the decryption of even common services secured by an SSL certificate, there comes an issue about the amount of time and power a small device will need to calculate its share of a certificate key. But help is at hand through Symantec, and has been available for several months now, in a publicly-available production environment. Meet Elliptic Curve Cryptography, a.k.a. ECC, a part of Symantec’s public SSL certificate offering.

ECC is a newer mathematical algorithm that came into widespread use in 2005, and which solves the two issues above by providing a better level of security through shorter key lengths: an ECC key of only 256 bits will provide a security level comparable to RSA with 3072 bit keys. ECC can further be coupled to other smart encryption technologies such as Diffie-Hellman, and raise the security offered by ECC SSL certificates through a technique called Perfect Forward Secrecy (PFS), where the session keys are “exchanged” periodically and implicitly and therefore even a captured encrypted data stream will at best only be decipherable in part. Thus, the eavesdropper stands a minimal chance of guessing a quantity of session keys that would make any sense out of the data in his possession.

Are you unsure about leaving your users on legacy systems in the dark at this point? Webservers like e.g. Apache can be configured to serve both ECC and RSA intermediates, guaranteeing that the certificate chain will still function correctly to anyone on legacy systems. Symantec is already using ECC roots so we are well-equipped for the future. And using ECC SSL will decrease your power bill, because the math needed in the process is calculated easily by modern processors since the functions are built in.

So, with Symantec’s SSL certificates you have access to the future of encryption today, allowing you to save on your server resources, providing higher security to your users, and a better (and faster) user experience especially when in mobility. At Symantec our prime mission is to keep ahead of the next big thing in digital security, so you can do what you do best: your business. Do get in touch; we’d love to hear from you.

  • Products
  • website security solutions
  • DigiCert SSL TLS Certificates
  • Products and Solutions
  • Symantec Website Security

Comments

  • 0

    Good article Stefano. One minor correction to this sentence:

    "ECC certificates can be configured to serve both ECC and RSA intermediates.." The certificates themselves are not configured. To be technically correct,  you should say:

    "Web servers like Apache can be configured to serve both RSA and ECC certificates (ECC to those clients that support the algorithm, RSA to those that can’t)."

    Dean

  • 0

    Symantec introduced a great feature!

    ECC is an upgraded cryptography method that used in the SSL certificate. Elliptic Curve Cryptography technology comes with increased strength, stronger security, improved performance, and shorter key lengths.