Introducing Algorithm Agility: ECC and DSA
Since 1976, public key cryptography has become the foundation on which secure communications were established over the Internet. The public key algorithm and infrastructure revolutionized cryptography, and formed the basis for secure e-mail, e-commerce, and many other information exchanges. Throughout the development of PKI, new algorithms have been developed and refined which offer higher security and better performance, resulting in improved ability to defend against the growing sophistication of the modern security threat. And we're evolving right with them.
For our Enterprise level customers, we’re pleased and proud to announce our new Algorithm Agility program. Any Standard SSL Certificate can now be issued as an RSA or DSA algorithm option, both included for the same price. Any Premium SSL certificate has a third included option of the ECC algorithm, for improved production and performance connections.
DSA (Digital Signature Algorithm) is a U.S. government-approved and certified encryption algorithm that was developed by the National Security Agency in 1991 as an alternative to the current standard RSA algorithm. It offers the same level of security and performance as RSA, but uses a different mathematical algorithm for signing and encryption. A DSA key pair will be the same size as the equivalent RSA key.
ECC offers greater security as compared to other prevalent algorithms. As an example, Symantec ECC-256 certificates will offer equivalent security of a 3072-bit RSA certificate. Compared to a 2048 RSA key (which is the industry norm), ECC-256 keys are 10,000 times harder to crack. ECC can handle more users and more connections simultaneously with lower latency increases than the RSA alternative at the same mid-range CPU volumes.
Timing matters. The NIST deadline for switching over 1024- to 2048-bit certificates is at the end of this year. (http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf) Some testing has shown that RSA key size increases have a negative impact on server loads, and the number of simultaneous connections possible. Enterprise organizations will need the time to test their new larger certificates to discover the tradeoffs in performance, load times, latency, and other factors specific to their environment. Symantec’s algorithm agility will help the Enterprise test plans by providing options in test to determine how to optimize for their specific security ecosystem. Testing parameters will depends on the transaction payload ,web server, server hardware, cores, throughput, cipher suite, sessions cache, SSL/TLS implementations.
You can choose to run just RSA, just DSA, just ECC, or multiple certificates in tandem to enhance your website security solution. Running multiple algorithms together helps protect your data with a broader array of encryption options, as your choice of webserver is capable of this option. We consider algorithm agility to be a natural feature for SSL Certificates –an organization shouldn’t have to pay extra for the right to choose which encryption and signing algorithms are right for the way they do business online.