[LINK] RFI: The Key-Length Currently Needed for SSL Security

Roger Clarke Roger.Clarke at xamax.com.au
Fri Dec 10 09:54:10 AEDT 2010


On Thu, Dec 9, 2010 at 1:58 PM, Roger Clarke wrote:
>[The article below suggests that the Chrome browser refuses to permit
interactions with web-sites that use [presumably, symmetric] keys
[presumably, for data encryption] shorter than 1024 bits.

At 14:43 -0800 9/12/10, Scott Howard replied:
>The obvious thing they would be referring to here is the length of 
>the servers private key.  The standard minimum for these for years 
>has been 1024 bits, although it's recently been bumped to 2048 bits.

The relevant couple of paras. in the article say:
>Most secure websites utilise a suite of cipher keys that contain 
>either 128 bits of information, 256 bits or 512 bits. Browsers 
>interrogate servers about the keys they use (there are often 
>several).
>But Google's Chrome browser sets a higher encryption standard, 
>saying when it blocks access to CityLink that the website's operator 
>can solve the security problem by installing a 1024 bit cipher key.

I therefore inferred that Chrome was requiring a longer 
<symmetric/secret encryption key> than is currently the norm, not a 
standard-length <asymmetric/private digital signature key>.

But I agree with Scott that there's more than a little scope for 
confusion between the two.  If so, is it Chrome, Transurban, the 
reporter or me that's confused?  (Or some combination of the above).

The article also says:
>CityLink's website security is audited quarterly by an independent 
>IT company, Stratsec, at the behest of the companies that issue the 
>credit and other transaction cards used on the site, and it received 
>a clean bill of ''high security health'' only recently.

That suggests that Chrome is demanding a longer key (whichever key it 
is) than the current financial industry standards require.


-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University



More information about the Link mailing list