Given recent certificate and SSL security hacking issues, it is important that this information be pushed out to as many server and web services operators as possible.
Until the recently, the RSA algorithm, first publically described in 1977 has been the only algorithm available for commercial digital signing certificates. The RSA algorithm remains the de facto standard although commercial certificates based on the DSA and ECC algorithms are now available.
Simply put: The larger the certificate key size in an RSA certificate, the more difficult it is to compromise the encryption.
As raw computing power increases over time it becomes possible to factor or crack smaller sized RSA keys. Key sizes smaller than 1024 bits were voluntarily discontinued by Microsoft on 12 December, 2012.
Seventeen RSA key sizes have been factored since 1991. Most recently most of the industry has standardized on certificates with 1024-bit RSA keys. However, industry experts warn that the oft used 1024-bit RSA key size is now at risk of being compromised by cyber criminals.
As a proactive measure, effective 31 December, 2013, the NATIONAL INSTITUTE OF STANDARDS and TECHNOLOGY [NIST] recommended that 1024-bit RSA certificates be eliminated and replaced with 2048-bit or stronger keys.
As a result of the NIST recommendation, the Certification Authority/ Browser (CA/B) Forum, created to develop best practices within the SSL/TLS industry, created a mandate to bring the 1024-bit RSA key size to end of life by December 31st, 2013.
The Responsibility of a CA
All responsible Certificate Authorities (CAs) should have their customer base of this regulation change and assisted them with their migration to a more secure keysize.Due to the industry’s end-of-life mandate on 1024-bit certificates, Certification Authorities have the difficult requirement to revoke 1024-bit RSA certificates that expire after 12/31/13.
If you have an SSL certificate which was issued by a CA, and have not been contacted by them regarding issues with either your PRIMARY or SECONDARY SSL certificates, you should open an inquiry with the issuing CA as quickly as possible to prevent possible intrusion into your networks and systems.
If you believe you have issues with non-complient SSL certificates, you should immediately contact the issuer of your SSL certificate, you should immediately contact the issuer of your SSL certificate and ask them to ensure that both your primary and secondary SSL certificates are at least 2048 bit certificates.
What Does This Mean?
As a result of these changes, mandated by NIST, all current CERTS with a key size of 1024 bits or less than bits should have been replaced by 31 December, 2013, or users of smaller certs will run the risk of having them denied when they are checked in situations where they are used for encryptions. The minimum recommended SSL certificate length is now 2048 bits.For More Information:
- NIST Special Publication 800-131A | Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths | http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
- - Comodo 2048 bit SSL Certificates | http://www.incommon.org/certificates/doc/2048-bit-Certificates.pdf
- - Symantec | 1024-Bit Migration Informational Webinar | http://www.slideshare.net/NortonSecuredUK/1024-deck-may-2013
Bruce Barnes, owner of ChicagoNetTech is an active member of the SmarterTools online support team who's posts can be found on the SmarterTools Technical Support Forums.
Checkout the new ChicagoNetTech APP at: m.chicagonettech.com
No comments:
Post a Comment
Please keep all comments on topic and respect the poster of the original message.
Messages which attack a poster, contain profain language, are off topic, or are otherwise defamatory will be deleted from the blog.