Symantec Algorithm Agility
Symantec Algorithm Agility
Responsible business owners have long known to protect their online presence through the use of SSL certificates provided by trusted third party Certification Authorities (CA). The use of an SSL certificate allows authentication of the web server, the transmission of sensitive information, and a recognized and trusted sign of security to customers. SSL Certificates have traditionally relied on encryption using public and private keys based on the RSA algorithm. While these keys remain secure, increasing threats from ever more powerful computers prompted the National Institute of Standards and Technology (NIST), among others, to call for additional strengthening of online encryption.
With this need for additional security in mind, and to ensure that business owners can customize their protection to the needs of their business, Symantec, the most trusted name in SSL Certification,2 has introduced algorithm agility as part of its SSL certification process. This means businesses now have the ability to choose between certificates that provide protection based on the RSA algorithm, on two alternative algorithms, ECC and DSA, or to generate certificates for all three to install on a server. This flexibility allows business owners to provide a broader array of encryption options for different circumstances, infrastructure and customer or partner groups.
The RSA algorithm remains an effective encryption option. However, the length of the keys will continue to grow exponentially. Online communities have noted the ability of hackers using powerful computers to potentially crack keys approaching 1024 bits. NIST has therefore recommended that, by the end of 2013, Certificate Authorities should not issue any new SSL/TLS certificates with RSA public key sizes smaller than 2048 bits.
At the same time, alternative algorithms for encryption and signing have been adopted by the federal government, which has issued guidelines based on Elliptic Curve Cryptography (ECC) and Digital Signature Algorithms (DSA) Already binding on the Federal Government, the new NIST Suite B guidelines and recommendations are also usually adopted as best practices by commercial businesses.
Certificates signed with the RSA algorithm have been in widespread use for many years, but algorithm agility, based on the NIST guidelines, allows businesses to choose to implement certificates signed with three different algorithms: RSA, DSA and ECC. The design of TLS allows different algorithms to work either alone or side by side, so with algorithm agility, business owners can choose the public key algorithm, or combination of algorithms, that works best for their online presence and infrastructure.
DSA is a discrete logarithm system. It was developed by the National Security
Agency in 1991 as an alternative to RSA and is the federal standard for digital
signature.5 The DSA algorithm provides the same level of protection and
performance as the RSA algorithm for similar key sizes, but uses a different
mathematical algorithm for signing, and the detection of any alteration to a
Although key sizes are identical to RSA, key generation and digital signature using DSA is faster. Key verification is slightly slower. DSA is also compatible with most servers, and because it is already a federal standard, using an SSL certificate that supports DSA makes it easier for businesses to meet the requirements of government contracts.
The NIST Suite B recommendation that Certificate Authorities increase the
minimum key size associated with RSA supported SSL certificates demonstrates
that increasingly sophisticated security threats will drive the requirement for ever
larger RSA keys. At a certain point, the RSA key size for the
security required simply becomes unwieldy, increasing the amount of computing
power, bandwidth for transmission and time required for the encryption and
decryption operation. It.s still secure, but less efficient.
Unlike RSA and DSA, ECC algorithms are based on elliptic curves over finite fields, a much more difficult mathematical problem for hackers to attack using simple brute force methods. Using RSA and DSA algorithms, the defining factor for how secure the encryption can be is key length.
With ECC, the nature of the mathematical problem at its core means that as key size increases, its decryption operations become more difficult at a faster rate than those of RSA. This means that a shorter ECC key is more difficult for a hacker to break than the same length of RSA key and can provide the same or better security coverage than a much longer RSA key. Key sizes for ECC increase linearly instead of exponentially, so as guidelines change their efficiency increases.
Search Our Site
- Symantec Secure Site
- Symantec Secure Site Pro
- Symantec Secure Site EV SSL
- Symantec Secure Site Pro EV SSL
- Symantec Wildcard Certificate
- Symantec SAN Certificates
- Symantec Safe Site
- Symantec Algorithm Agility
- Compare Symantec SSL Certificates
- Thawte SSL123 Certificate
- Thawte SSL Web Server Certificate
- Thawte EV SSL Certificate
- Thawte SSL Web Server Wildcard
- Thawte SAN Certificates
- Compare Thawte SSL Certificates
- GeoTrust QuickSSL Premium
- GeoTrust QuickSSL Premium SAN
- GeoTrust True BusinessID
- GeoTrust True BusinessID EV SSL
- GeoTrust Wildcard SSL Certificate
- GeoTrust True BusinessID SAN
- GeoTrust True BusinessID SAN EV
- GeoTrust Website Anti-Malware Scan
- Compare GeoTrust SSL Certificates