Monday, October 27, 2014

SHA1 keysize checker

I was following a post on a public support forum about  the SHA1 and the collisions probabilities and this got me thinking about the SHA1 checker website

http://www.sha2sslchecker.com

This site allows you  to query SSL information on "public" facing sites. It 's very useful with looking at SSL information and from a hierarchical   standpoint.

Take my website. SHA ssl checker shows;


NOTE: Information to include keysize and lifetime ( expiration )

This site is useful for those that don't know how to use openssl for gaining the same information. It also provide a full-tree view of all intermediates to include the rootCAs

Example, using the sslchecker website , we can easily find the  key size and type and  expirations.


NOTE: a child at the bottom of the tree will NEVER have an expiration longer than the parent above

To find out more about SHA1 and collisions please review  the wiki link

http://en.wikipedia.org/wiki/SHA-1

The new crowd of website admins falls into we must must must change our keysize (  which could be a good thing ). The ole saying of; " the lock is only as good as the key " does truly apply.

You will find out that the  root CAs typically are still signing off a SHA1 key at 1024bits.  So they don't seem to phased by the sky is falling crowd.

e.g

hp.com
yahoo
bing
microsoft
att
google
att
ebay
thawte.com
twitter


But don't get too caught up on these numbers, till you pull and validate the cert in details & understand what technologies they are using.


for example sha checker and  facebook



But in reality this is a mililtary grade of encryption & protection.
ANSI X9.62 elliptic curve prime256v1 (aka secp256r1, NIST P-256)


You can read more about Elliptic Curve from guess who?  Our friends at the NSA :)

https://www.nsa.gov/business/programs/elliptic_curve.shtml


[QUOTE]
However, unlike the RSA and Diffie-Hellman cryptosystems that slowly succumbed to increasingly strong attack algorithms, elliptic curve cryptography has remained at its full strength since it was first presented in 1985.
[/QUOTE]


and

[QUOTE]
For protecting both classified and unclassified National Security information, the National Security Agency has decided to move to elliptic curve based public key cryptography.  
[/QUOTE]


So a 256bit  Elliptic Curve Key Size is in the same order as a 3K bit key based on RSA.


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  $  $ )=
       o 
      /  \


No comments:

Post a Comment