- 18 Hot IT Certifications for 2014
- CIOs Opting for IT Contractors Over Hiring Full-Time Staff
- 12 Best Free iOS 7 Holiday Shopping Apps
- For CMOs Big Data Can Lead to Big Profits
Network World - Symantec today began offering multi-algorithm SSL certificates for Web servers that go beyond traditional crypto to include what's known as the Elliptic Curve Cryptography (ECC) Digital Signature Algorithm (DSA), which the firm says will be 10,000 times harder to break than an RSA-bit key. Certificates are used to prove site identity to the visitor through a validation check that involves the user's browser and the site certificate, and Symantec is making the argument that authentication will happen faster using this particular ECC algorithm.
ECC represents a different mathematical approach to crypto that originated in the 1980s to try for faster processing speed at lower bit lengths. Speed is of growing importance because the National Institute of Standards and Technology (NIST) is requiring websites covered under federal regulations to migrate from RSA 1024-bit crypto to 2048-bit certificates by Jan. 1, 2014, Symantec points out. This is regarded as a precautionary measure because longer-length crypto algorithms are harder to break; the NIST guideline taking effect related to algorithm length for security in website certificates will be advice that resonates beyond government to business.
Breaking crypto algorithms in certain instances can be done through "brute force," notes Bob Hoblit, senior director of product management in Symantec's Website Security Solutions division, alluding to computer-based attacks through raw processing power to try and crack the crypto's math. However, longer-length crypto algorithms are seen as more computationally intensive and slower in their use.
Symantec argues that the advantage in using ECC technology is that it will harder to break than an RSA-bit key -- and Symantec specifically points to National Security Agency analysis regarding ECC in general that 256-bit ECC certificates offer the equivalent security of a 3072-bit RSA certificate.
Symantec says its testing of ECC is showing better server-to-desktop performance and response time, comparing the RSA certificate handling 450 requests per second with an average response time of 150 milliseconds to the desktop, with an ECC certificate under the same conditions averaging just 75 milliseconds.
Symantec believes it's the first certificate authority to actually offer ECC SSL certificates, but Entrust also markets what it calls a "hybrid" ECC certificate product as a somewhat future-oriented technology, noting that some older browsers wouldn't support ECC.
The ability of Web browsers to support a vendor's specific certificate crypto "root" is an important question. The Microsoft Internet Explorer, Google Chrome and Mozilla Firefox browsers typically have coded into the various versions the certificate "root" information, and Symantec says this has been done in the case of its ECC SSL certificate technology. Google software engineer Adam Langley underscored the commitment to ECC in Symantec's announcement today by saying, "We believe in constantly furthering security, which is why Chrome supports Elliptic Curve Digital Signature Algorithm on all modern operating systems."