Symantec announced new website security solutions including support for new SSL encryption algorithms like Elliptic Curve Cryptography (ECC) and Digital Signature Algorithm (DSA). ECC provides stronger encryption with shorter keys, improved server and desktop performance, and meets future security needs. Symantec is the first certificate authority to offer ECC commercially. The announcements also included new services like the Certificate Intelligence Center and Secure App Service to help customers manage certificates and code signing keys.
How to Troubleshoot Apps for the Modern Connected Worker
Symantec Web Security Solutions
1. Symantec Website Security Solutions
and Algorithm Agility Announcements
February 13, 2013
Quentin Liu, Sr. Director Engineering
Robert Hoblit, Sr. Director of Product Management
Deena Thomchick, Director of Product Marketing
1
2. What’s New
• Website Security Solutions (WSS) Vision and Strategy
• New SSL Encryption Algorithms
• Elliptic Curve Cryptography (ECC)
• Digital Signature Algorithm (DSA)
• Symantec’s Partners for ECC Adoption
• Expanding WSS Portfolio to Protect Future of the Internet
and eCommerce
• Symantec Certificate Intelligence Center Service
• Symantec Secure App Service
• Symantec AdVantage
3. Protecting the Hyper-Connected World
Need for NEW Protection Models to Secure the Future Internet
Technology
Advancements
Advanced
Clouds Threats
Mobile
Information
Explosion Regulatory &
Compliance
30 Billion
Connected
Devices
IT Complexities
& Challenges
Applications
eCommerce
$1 Trillion
Digital &
Social Life Advertising
$102 Billion
3
4. Website Security Solutions Vision
Enabling people, businesses and countries… to protect and
4.0
manage their digital information… so they can focus their time
and energy achieving their aspirations
Enable our Protect the Confer Trust to
Trust
Protect
Enable
customers to information and accelerate the
meet online presence growth of
performance, of our online
compliance, customers and information
privacy and their end users sharing and
security global Internet
regulatory commerce
requirements
4
5. Website Security Solutions Strategy
Trusted
Advertising
Trusted
Trusted Applications
Shopping
Foundation of Trust on the Internet
5
6. Key Drivers Demand the Need for New SSL Solutions
NIST Compliance
Recommendations Requirements
ECC
DSA
RSA
Increased Mobile & Cloud
Attacks & Outages Proliferation
6
7. Extending Symantec SSL:
New Algorithms and Solutions
First CA to offer
3 crypto algorithms
Available soon in
Managed PKI SSL
Certificates
No additional charges
for ECC and DSA
More Choices | Improved Performance | Increased Security
7
8. Elliptic Curve Cryptography Overview
ECC
1 2 3 4
Stronger Efficient Highly Future of
Encryption Performance Scalable Crypto Tech
• Shorter key than RSA • Efficiency increases • Large SSL deployments • Viable for many years
with higher server w/out additional • Built for Internet of
• 256-bit ECC = 3072-bit
loads hardware Things
RSA
• Utilizes less server CPU • Securing the • Supports billions of new
• 10k times harder to
enterprise: devices coming online
crack than RSA 2048 • PC’s: Faster page load
time • Use fewer • Ideal for Open Networks
• Meets NIST
resources
recommendations • Ideal for mobile • Truly ‘future proof” trust
devices • Lower costs infrastructure in place
8
9. ECC Delivers Increased Security
10k Times Harder to Break Than RSA Key
Current acceptable security
Current Ind. Std.
Level [10^24 MIPS years]
18000
The longer the RSA key, the
16000 less applicable it becomes in
SYMC ECC
SYMC ECC the real world.
14000
12000
Key Size (bits)
10000
ECC
8000
RSA
6000
4000
ECC maintains very complex
2000 cryptography w/key lengths
that meet demands of reality
0
1.00E+12 1.00E+24 1.00E+28 1.00E+47 1.00E+66
MIPS Years to break
Source: Symantec Internal Research and Testing
Computations http://www.nsa.gov/business/programs/elliptic_curve.shtml
ECC offers greater security as compared to other prevalent algorithms.
Symantec ECC-256 certificates will offer equivalent security of a 3072-bit RSA certificate.
Compared to a 2048 RSA key (which is the industry norm), ECC-256 keys are 10,000 times harder to crack.
9
10. Improved Server Performance Under Peak Loads
• ECC 256 has better performance
than RSA at 0, 90k and 200k
connections
Web pages encrypted w/ECC load
faster than those with RSA • ECC performance numbers are
expected to significantly improve
over time as the industry
optimizes for ECC as they did for
RSA
• With better performance –
customers will need to purchase
fewer servers to handle SSL
connections – a big cost savings
• Performance Efficiencies
Uses less server power
Handles more requests
Scalable
Source: Symantec Internal Research and Testing
10
11. Improved Desktop Performance and User Experience
As a server gets hit
with more
traffic, ECC…
processes more
requests…
in less time…
without affecting
load…
…than RSA
Source: Symantec Internal Research and Testing
11
13. Symantec RSA and DSA Provides More Choices
Both RSA and DSA are offered at 2048 bits and are
equivalent in security strength and performance
• RSA is currently 100% of the World’s SSL • DSA was developed by the NSA
Certificate install base (US Government) as an alternative
• If you’re on the web and see to RSA
HTTPS, you’re using RSA • Although historically of interest to the US
• The industry this year will move from public sector, it is yet another choice in
1024 to 2048-bit keys crypto algorithm
• From a brute force attack • DSA offers the same security and key
perspective, RSA 2048 keys will be viable length as RSA, with different math
until 2030
13
14. The Most Common SSL Concerns by Enterprises
What does this cost an enterprise?
“Typical company
lost $222k last year
due to certificate
• Missed sales
mishaps” opportunities
• Damage to brand
Biggest certificate issues due and credibility
to the following:
• Defection to
• Unexpected Expirations competitors
• Rogue Certificates • Calls to customer
• Misconfigured support
Certificates • Lost productivity
• Missed Server Install • Calls to tech
• Security Breaches support
Source: Symantec SSL Management Customer Survey, February 2013
14
15. New
Symantec® Certificate Intelligence Center 2.0
Discover, Track and Automate SSL Certificate lifecycle
Automation
• Avoid painful, multi-step process to renew, replace and install a certificate
• Consolidate to Symantec certificates
• Auto-discover supported applications
• Eliminate human error and installation overhead
Discovery and Business Continuity
• Highly optimized discovery of SSL certificates
• Scheduled and on-demand discovery capabilities
• Rich reporting functionality
• Notification capabilities
15
16. New
Symantec® Secure App Service
Secure and Track Code Signing Keys
Security and Control
• Prevent security compromise with unique keys for each signing
• Maintain control and avoid stolen or misplaced keys by storing keys with a trusted Certificate
Authority
• Ensure accountability with full audit and reporting capabilities
• Provide support for a wide range of file options including Microsoft Authenticode, Java
.jar, Java Mobile and Android
• Easily integrate with enterprise environment via SOAP API
• Full management GUI available in Summer 2013
16
17. Malvertisements and Repercussions
An advertisement infected with malware = malvertisement
Increase 20x Repercussions
from 2010 to
2012 • Business Disruption
50% + • Loss of Revenue
publishers • Brand and Reputation Damage
have
experienced • Long Term Business Impact
1+ times
• Reparation Costs
Prime Time for
Attacks:
Peak online
traffic, long
weekend, etc.
Source: Symantec AdVantage Malvertising Survey
September 2012
17
18. Symantec® AdVantage
Real-time detection, notification and analysis of malvertisements
“Symantec AdVantage provides critical security against the malicious
advertisements that can ruin display advertising, damage brand
reputation and ultimately, hurt eCommerce businesses.”
Eng Tat, Head of Technology Development, Innity
Brand Protection and Business Continuity
• Avoid browser shutdowns and being blacklisted with real-time detection and instant
notification of malvertisements
• Identify new threats including zero-day threats, with new revolutionary scanning
methodology
• Improve security with visual ad trace-back to track source of malvertisement
• Develop strategic business decisions based on detailed ad analytics, reputation
scores and other key data points
18
19. WSS Advances Future of Online Trust and Protection
Symantec Website Security Solutions
accelerates the growth of online
information sharing and eCommerce
• Leadership: Algorithm Agility with ECC, DSA and RSA
• First Certificate Authority (CA) to offer commercially available ECC
solutions for:
Improved protection
Improved server performance under peak loads
Improved desktop performance for better end user experience
Meeting NIST, government and compliance requirements
• Symantec partners with industry leaders to accelerate ECC adoption
• New to WSS Portfolio: CIC v2, Secure App Service, AdVantage
19
22. Quotes
“The future is going to necessitate increasingly higher security cryptography and Akamai sees ECC as a technology
that will allow cloud platforms to scale to meet those security demands without the crippling complexity of today’s
common algorithms,” explained Stephen Ludin, chief architect, Akamai Technologies. “It is a significant step
forward to better protect our data online in this hyper-connected world. As the Certificate Authority ecosystem for
ECC gets ready, we will be building support into the Akamai Intelligent Platform.”
“Citrix recognizes that ECC encryption represents the future of SSL encryption,” said Steve Shah, Sr. Director, Citrix.
“This shift in the cryptographic infrastructure is clearly a next generation approach to the security
ecosystem, allowing for better scalability in cloud computing and the supporting infrastructure. Once the
certification authority infrastructure is in place, the trend will be clear to follow for networking product groups to
make remote datacenters more accessible quickly, even allowing for increasing key sizes and increasing security
needs.”
“F5 helps customers seamlessly combine industry-leading traffic management with security and access
solutions, including VPN and SSL encryption capabilities,” said Jason Needham, VP of Product Management and
Product Marketing, F5 Networks. “One of the primary goals is to give organizations more choice and flexibility in
deploying technologies to suit their business needs. F5 is proud to team up with leaders like Symantec to help
enterprises and service providers enhance web and mobile security while scaling to better support cloud and BYOD
initiatives.”
“We believe in constantly furthering web security, which is why Chrome supports Elliptic Curve Digital Signature
Algorithm (ECDSA) on all modern operating systems,” said Adam Langley, software engineer at Google.
23. Quotes
“HID Global specializes in security access solutions for the cloud, data and the door, with a comprehensive portfolio
incorporating both physical and logical access solutions,” said Julian Lovelock, VP of Product Marketing at HID Global. “We’re
very supportive of the new DSA and ECC algorithm options emerging in the marketplace, and we strongly feel that where the
NIST Suite B has drawn up the future of security algorithms, the industry will follow.”
"Juniper's SSL VPN solution, #1 in the world market, supports both ECC and DSA algorithms for added security and flexibility.
The Junos Pulse SSL VPN client and gateway software are both FIPS compliant,” said Michael Callahan, VP of product
marketing, Juniper Networks. “We are fully committed to and continue to invest in standards-based security
solutions, including the strictest of NIST Suite B standards for our customers, across federal, enterprise and service provider
markets.”
“At Opera we are committed to both high quality and security, and we welcome the adoption of new and improved security
standards on the web. Elliptic Curve Cryptography provides significant improvements over earlier algorithm standards, and
we are delighted to see Symantec support it. Opera's Presto engine added support for ECC in version 395.” Source: Security
Manager at Opera
“Red Hat and Symantec have long collaborated to bring compelling, secure solutions to our customers. We continue to be
interested in providing the advantages of increased security and computational efficiency that elliptical curve cryptography
(ECC) offers for key management and digital signature, and have been an active participant with Symantec in Project Beacon.
Currently, our Red Hat Certificate System supports ECC public-key cryptographic systems and continues to enhance its web
browser and operating system ECC support." - Bryan Che, General Manager, Cloud Business Unit, Red Hat
Notas del editor
Symantec is the first CA to offer 3 crypto algorithmsRSA 2048, DSA 2028 and ECC 256Included as options, free of chargeDSA included in standard MPKI SSL CertificatesECC and DSA offered in Premium MPKI SSL CertificatesWhy are we launching new algorithms?Offer choice to customersDSA 2048 for US Government preferencesECC 256 for high connection speeds at loadRSA 2048 for safe business as usualIt’s about the futureMore secure connections to your serversImproved performance on your serversPricing for SSL Cert with ECC and DSA – Premium Certificates and ServicesSymantec™ Secure Site Pro - $995Symantec Secure Site Pro EV SSL Certificates with ECC - $1495 (as of 2/13/13)
The yellow bubble shows that ECC is already years ahead of the current industry standard of 2048-bit encryption, and we haven’t even began to test the limits of ECC’s capabilities to encrypt and protect data.ECC performs better in comparison to RSA as requests per second increaseThis translates into faster page loads for PCThese numbers are preliminary and are expected to greatly improveSource: Symantec Internal Research and TestingComputations http://www.nsa.gov/business/programs/elliptic_curve.shtmlECC:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHARSA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHAECC 384-256-256 RSA 2048-2048-2048Desktop Page sizes: 200KSpecifications8 cores 7 GiB of memory clock frequency: 2.33 ghznetwork: 1 GbpsWeb server: Apache 2.4.3.openssl: 1.0.1cWorst case scenario as session reuse = 0%
In terms of server performance, ECCUses less server powerHandles more requestsScales well to handle:Traffic spikesBusiness growthEnterprise-wide network security ECC:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHARSA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHAECC 384-256-256 RSA 2048-2048-2048Desktop Page sizes: 0K, 90K, 200KServer specifications8 cores 7 GiB of memory clock frequency: 2.33 ghznetwork: 1 GbpsWeb server: Apache 2.4.3.openssl: 1.0.1cServer time: includes SSL Handshake time (key derivations: ECDHE) + data encryption + file transfer timeWorst case scenario as session reuse = 0%