[LINK] RFI: The Key-Length Currently Needed for SSL Security
Roger Clarke
Roger.Clarke at xamax.com.au
Fri Dec 10 09:54:10 AEDT 2010
On Thu, Dec 9, 2010 at 1:58 PM, Roger Clarke wrote:
>[The article below suggests that the Chrome browser refuses to permit
interactions with web-sites that use [presumably, symmetric] keys
[presumably, for data encryption] shorter than 1024 bits.
At 14:43 -0800 9/12/10, Scott Howard replied:
>The obvious thing they would be referring to here is the length of
>the servers private key. The standard minimum for these for years
>has been 1024 bits, although it's recently been bumped to 2048 bits.
The relevant couple of paras. in the article say:
>Most secure websites utilise a suite of cipher keys that contain
>either 128 bits of information, 256 bits or 512 bits. Browsers
>interrogate servers about the keys they use (there are often
>several).
>But Google's Chrome browser sets a higher encryption standard,
>saying when it blocks access to CityLink that the website's operator
>can solve the security problem by installing a 1024 bit cipher key.
I therefore inferred that Chrome was requiring a longer
<symmetric/secret encryption key> than is currently the norm, not a
standard-length <asymmetric/private digital signature key>.
But I agree with Scott that there's more than a little scope for
confusion between the two. If so, is it Chrome, Transurban, the
reporter or me that's confused? (Or some combination of the above).
The article also says:
>CityLink's website security is audited quarterly by an independent
>IT company, Stratsec, at the behest of the companies that issue the
>credit and other transaction cards used on the site, and it received
>a clean bill of ''high security health'' only recently.
That suggests that Chrome is demanding a longer key (whichever key it
is) than the current financial industry standards require.
--
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
Visiting Professor in Computer Science Australian National University
More information about the Link
mailing list