Symantec Algorithm Agility

Symantec Algorithm Agility Symantec SSL Certificates
Symantec Algorithm Agility
Business owners require flexibility and scalability in their efforts to build trust and protect online sites and transactions from Hackers. Hackers are constantly developing more sophisticated methods to breach security protections and inflict damage on a business or its customers.

Responsible business owners have long known to protect their online presence through the use of SSL certificates provided by trusted third party Certification Authorities (CA). The use of an SSL certificate allows authentication of the web server, the transmission of sensitive information, and a recognized and trusted sign of security to customers. SSL Certificates have traditionally relied on encryption using public and private keys based on the RSA algorithm. While these keys remain secure, increasing threats from ever more powerful computers prompted the National Institute of Standards and Technology (NIST), among others, to call for additional strengthening of online encryption.

With this need for additional security in mind, and to ensure that business owners can customize their protection to the needs of their business, Symantec, the most trusted name in SSL Certification,2 has introduced algorithm agility as part of its SSL certification process. This means businesses now have the ability to choose between certificates that provide protection based on the RSA algorithm, on two alternative algorithms, ECC and DSA, or to generate certificates for all three to install on a server. This flexibility allows business owners to provide a broader array of encryption options for different circumstances, infrastructure and customer or partner groups.

The RSA algorithm remains an effective encryption option. However, the length of the keys will continue to grow exponentially. Online communities have noted the ability of hackers using powerful computers to potentially crack keys approaching 1024 bits. NIST has therefore recommended that, by the end of 2013, Certificate Authorities should not issue any new SSL/TLS certificates with RSA public key sizes smaller than 2048 bits.

At the same time, alternative algorithms for encryption and signing have been adopted by the federal government, which has issued guidelines based on Elliptic Curve Cryptography (ECC) and Digital Signature Algorithms (DSA) Already binding on the Federal Government, the new NIST Suite B guidelines and recommendations are also usually adopted as best practices by commercial businesses.

Certificates signed with the RSA algorithm have been in widespread use for many years, but algorithm agility, based on the NIST guidelines, allows businesses to choose to implement certificates signed with three different algorithms: RSA, DSA and ECC. The design of TLS allows different algorithms to work either alone or side by side, so with algorithm agility, business owners can choose the public key algorithm, or combination of algorithms, that works best for their online presence and infrastructure.

Digital Signature Algorithm (DSA)

DSA is a discrete logarithm system. It was developed by the National Security Agency in 1991 as an alternative to RSA and is the federal standard for digital signature.5 The DSA algorithm provides the same level of protection and performance as the RSA algorithm for similar key sizes, but uses a different mathematical algorithm for signing, and the detection of any alteration to a transmitted message.

Although key sizes are identical to RSA, key generation and digital signature using DSA is faster. Key verification is slightly slower. DSA is also compatible with most servers, and because it is already a federal standard, using an SSL certificate that supports DSA makes it easier for businesses to meet the requirements of government contracts.

Elliptic Curve Cryptography (ECC)

The NIST Suite B recommendation that Certificate Authorities increase the minimum key size associated with RSA supported SSL certificates demonstrates that increasingly sophisticated security threats will drive the requirement for ever larger RSA keys. At a certain point, the RSA key size for the security required simply becomes unwieldy, increasing the amount of computing power, bandwidth for transmission and time required for the encryption and decryption operation. It.s still secure, but less efficient.

Unlike RSA and DSA, ECC algorithms are based on elliptic curves over finite fields, a much more difficult mathematical problem for hackers to attack using simple brute force methods. Using RSA and DSA algorithms, the defining factor for how secure the encryption can be is key length.

With ECC, the nature of the mathematical problem at its core means that as key size increases, its decryption operations become more difficult at a faster rate than those of RSA. This means that a shorter ECC key is more difficult for a hacker to break than the same length of RSA key and can provide the same or better security coverage than a much longer RSA key. Key sizes for ECC increase linearly instead of exponentially, so as guidelines change their efficiency increases.

Back to Top