I was following a post on a public support forum about the SHA1 and the collisions
probabilities and this got me thinking about the SHA1 checker website
http://www.sha2sslchecker.com
This site allows you to query SSL information on "public" facing sites. It 's very useful with looking at SSL information and from a
hierarchical standpoint.
Take my website. SHA ssl checker shows;
NOTE: Information to include keysize and lifetime ( expiration )
This site is useful for those that don't know how to use openssl for gaining the same information. It also provide a full-tree view of all intermediates to include the rootCAs
Example, using the sslchecker website , we can easily find the key size and type and
expirations.
NOTE: a child at the bottom of the tree will NEVER have an expiration longer than the parent above
To find out more about SHA1 and collisions please review the wiki link
http://en.wikipedia.org/wiki/SHA-1
The new crowd of website admins falls into we must must must change our keysize ( which could be a good thing ). The ole saying of; " the lock is only as good as the key " does truly apply.
You will find out that the root CAs typically are still signing off a SHA1 key at 1024bits. So they don't seem to phased by the sky is falling crowd.
e.g
hp.com
yahoo
bing
microsoft
att
google
att
ebay
thawte.com
twitter
But don't get too caught up on these numbers, till you pull and validate the cert in details & understand what technologies they are using.
for example sha checker and facebook
But in reality this is a mililtary grade of encryption & protection.
ANSI X9.62 elliptic curve prime256v1 (aka secp256r1, NIST P-256)
You can read more about Elliptic Curve from guess who? Our friends at the NSA :)
https://www.nsa.gov/business/programs/elliptic_curve.shtml
[QUOTE]
However, unlike the RSA and Diffie-Hellman cryptosystems that slowly
succumbed to increasingly strong attack algorithms, elliptic curve
cryptography has remained at its full strength since it was first
presented in 1985.
[/QUOTE]
and
[QUOTE]
For protecting both classified and unclassified National Security
information, the National Security Agency has decided to move to
elliptic curve based public key cryptography.
[/QUOTE]
So a 256bit Elliptic Curve Key Size is in the same order as a 3K bit key based on RSA.
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( $ $ )=
o
/ \