SlideShare uma empresa Scribd logo

Symantec’s View of the Current State of ECDSA on the Web

CASCouncil
CASCouncil

CASC Member Rick Andrews talked at the ECC workshop about ECDCSA certs. Learn more: http://bit.ly/1CvReL4

Tecnologia
1 de 15
Baixar para ler offline
Symantec’s View of the Current State of ECDSA on theWeb Rick Andrews Senior Technical Director and Distinguished Engineer
Agenda 1 Curves used in current practice 2 Market Penetration 3 Why customers use ECDSA 4 Why customers don’t use ECDSA 5 Impact of new ECC curves Copyright © 2015 Symantec Corporation 2
Curves in Current Practice for Web-based TLS • NSA published Suite B; adopted by NIST – https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml • Only NIST-recommended curves have been used in practice for SSL/TLS certificates – IETF published “ECC Cipher Suites for TLS” • http://www.ietf.org/rfc/rfc4492.txt • Defined Supported Elliptic Curves Extension – IETF published “Suite B Certificate and Certificate Revocation List (CRL) Profile” • http://tools.ietf.org/html/rfc5759 – IETF published “Suite B Profile for TLS” • http://tools.ietf.org/html/rfc6460 • Restricts TLS to use P-256, P-384 (not P-521) • Most roots in browsers’ trust stores are P-384 Copyright © 2015 Symantec Corporation 3
Browser/OS Support for ECDSA and Roots • Mozilla Firefox browser (since 3.6.28, NSS 3.11) trusts 11 ECC roots (10 P-384, 1 P-256) – https://wiki.mozilla.org/CA:IncludedCAs – https://bugzilla.mozilla.org/show_bug.cgi?id=195135 – Platform independent • Safari browser depends on platform - Mac OS X (since 10.9.1) and iOS (since 7) trust 13 ECC roots (12 P-384, 1 P-256) – http://support.apple.com/kb/HT6005 – http://support.apple.com/kb/HT5012 • IE (since Vista) / Windows Phone 8 trusts 14 ECC roots (13 P-384, 1 P-256) – http://social.technet.microsoft.com/wiki/contents/articles/14215.windows-and- windows-phone-8-ssl-root-certificate-program-member-cas.aspx Copyright © 2015 Symantec Corporation 4
Browser/OS Support for ECDSA and Roots • Android (since 3.x) trusts 6 ECC roots – https://bluebox.com/blog/technical/questioning-the-chain-of-trust-investigations- into-the-root-certificates-on-mobile-devices/ • Desktop Chrome and Opera (Chromium) use platform crypto and trusted root store – Except on Linux, where the browser includes Mozilla’s NSS trust store. • Blackberry (since 5.0) Copyright © 2015 Symantec Corporation 5
Curves Supported in Mozilla NSS Copyright © 2015 Symantec Corporation 6 NIST_P192 NIST_P224 NIST_P256 NIST_P384 NIST_P521 NIST_K163 NIST_B163 NIST_K233 NIST_B233 NIST_K283 NIST_B283 NIST_K409 NIST_B409 NIST_K571 NIST_B571 http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/freebl/ecl/ecl-curve.h&rev=1.7&root=/cvsroot Unclear if each curve can be used for ECDSA and/or ECDH(E) X9_62_PRIME_192V2 X9_62_PRIME_192V3 X9_62_PRIME_239V1 X9_62_PRIME_239V2 X9_62_PRIME_239V3 X9_62_CHAR2_PNB163V1 X9_62_CHAR2_PNB163V2 X9_62_CHAR2_PNB163V3 X9_62_CHAR2_PNB176V1 X9_62_CHAR2_TNB191V1 X9_62_CHAR2_TNB191V2 X9_62_CHAR2_TNB191V3 X9_62_CHAR2_PNB208W1 X9_62_CHAR2_TNB239V1 X9_62_CHAR2_TNB239V2 X9_62_CHAR2_TNB239V3 X9_62_CHAR2_PNB272W1 X9_62_CHAR2_PNB304W1 X9_62_CHAR2_TNB359V1 X9_62_CHAR2_PNB368W1 X9_62_CHAR2_TNB431R1 SECG_PRIME_112R1 SECG_PRIME_112R2 SECG_PRIME_128R1 SECG_PRIME_128R2 SECG_PRIME_160K1 SECG_PRIME_160R1 SECG_PRIME_160R2 SECG_PRIME_192K1 SECG_PRIME_224K1 SECG_PRIME_256K1 SECG_CHAR2_113R1 SECG_CHAR2_113R2 SECG_CHAR2_131R1 SECG_CHAR2_131R2 SECG_CHAR2_163R1 SECG_CHAR2_193R1 SECG_CHAR2_193R2 SECG_CHAR2_239K1 WTLS_1 WTLS_8 WTLS_9
Curves Supported in Web Server Software • Microsoft Windows Server 2008; partial support – Can’t generate ECC CSR but can work with imported key and certificate – https://msdn.microsoft.com/en- us/library/windows/desktop/bb204775%28v=vs.85%29.aspx • Apache, nginx with latest OpenSSL • Oracle JRE/JDK 1.7 or newer • F5 11.5 or newer • IBM z/OS V1R13 or newer • CloudFlare (CDN) supports ECC Copyright © 2015 Symantec Corporation 7
Curves Supported in Other Web Software • OpenSSL (since 1.0) – P-224 P-256 P-384 P-521 – B-233 B-283 B-409 B-571 – K-233 K-283 K-409 K-571 – http://csrc.nist.gov/groups/STM/cavp/documents/dss/ecdsahistoricalv al.html • Boring SSL (used in Google Chrome) supports P-224, P-256, P-384, P-521 – https://boringssl.googlesource.com/boringssl/+/master/crypto/ec/ec.c • GnuTLS supports P-192, P-224, P-256, P-384 and P-521 – http://gnutls.org/manual/gnutls.html Copyright © 2015 Symantec Corporation 8
Curves Supported in Other Web Software • Java JCE Providers (since Java 6) must support – sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1 – secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, secp256r1, secp384r1, secp521r1 – From http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders .html and http://www.ietf.org/rfc/rfc4492.txt • BouncyCastle (since 1.32) supports SEC/NIST curves – http://www.bouncycastle.org/releasenotes.html • Mac OS X and iOS support P-192, P-224, P-256, P-384, P-521 – http://csrc.nist.gov/groups/STM/cmvp/documents/140- 1/140sp/140sp2021.pdf Copyright © 2015 Symantec Corporation 9
Certification Authorities that offer ECDSA certs • Symantec (includes VeriSign/GeoTrust/Thawte roots) • GlobalSign • Entrust • DigiCert • Comodo (includes USERTrust roots) • Trend Micro (includes AffirmTrust roots) • These CAs issue 67% of the world’s public SSL certificates, according to Netcraft Copyright © 2015 Symantec Corporation 10
Market Penetration • Rough estimates of the number of deployed ECDSA SSL certificates: – Netcraft’s scans show 1.96% of all public SSL certificates are ECDSA • Data available by subscription only – ICSI Certificate Notary says that 2.1% of the certificates it sees are ECDSA • http://notary.icsi.berkeley.edu – Majority of ECDSA certs are hosted by CloudFlare as part of their Universal SSL initiative • https://blog.cloudflare.com/introducing-universal-ssl/ – Most Symantec ECDSA customers are from the US, but interest is broadly distributed around the world (Europe, Africa, Middle East, Australia, Asia) • We see some demand in non-Web (device) IoT market Copyright © 2015 Symantec Corporation 11
Why Customers Choose ECDSA Certificates • Forward-thinking – want to experiment with alternatives to RSA • Symantec’s performance analysis showed significant server performance gains for P-256 over RSA 2048 – https://www.symantec.com/page.jsp?id=elliptic-curve-cryptography • Research demonstrated significant performance advantage of ECDSA/ECDHE over RSA/DH (PFS for free) – http://w2spconf.com/2014/papers/TLS.pdf Copyright © 2015 Symantec Corporation 12
What is holding back the market for ECDSA certs? • Legal/IP concerns were not allayed by the 2003 NSA-Certicom license • Distrust in Suite B curve choices after Snowden, especially in Europe • Lack of client support (Windows XP and non-traditional devices like smart TVs and Japanese feature phones) • RSA isn’t broken; risk of trying new algorithm; general lack of awareness • Lack of dual-stack support in web servers (except Apache – see http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#comment_970) • Clients supporting ECDHE may not have ECDSA root; difficult for servers to know • ECDSA root may not be EV-enabled • Client-side performance penalty (ECDSA slower than RSA for signature verification for commonly-used key sizes) • “Heard there was some technical problem with ECDSA” – (if a cryptographically secure random integer is not selected, the private key can be determined) Copyright © 2015 Symantec Corporation 13
Impact of New Curves • Impact will likely be muted if IP issues are not cleared up • CAs need support in their HSMs and software toolkits • CAs will most likely sign keys from new curves using existing P- 256 or P-384 roots, to avoid delay of deploying roots using new curves – Signing with existing RSA roots or intermediates carries IP risk, but mitigates root ubiquity issue • Even though CAs may not initially create intermediate CA certs with new curves, we need to perform Proof of Possession of key. Usually done by checking signature on CSR, requiring support of new key curve in the CA’s HSMs and software toolkits. • Browser and web server vendors must support new curves Copyright © 2015 Symantec Corporation 14
Thank you! Copyright © 2015 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Rick Andrews rick_andrews@symantec.com 650-527-9506

Recomendados

TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly CASCouncil
 
Decrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficDecrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficShain Singh
 
SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.Priyanka Aash
 
F5 Networks Adds To Oracle Database
F5 Networks Adds To Oracle DatabaseF5 Networks Adds To Oracle Database
F5 Networks Adds To Oracle DatabaseF5 Networks
 
Cisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your NetworkCisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your NetworkRobb Boyd
 
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010Priyanka Aash
 
IEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and Cloud
IEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and CloudIEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and Cloud
IEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and CloudPriyanka Aash
 
Meraki powered services bell
Meraki powered services bellMeraki powered services bell
Meraki powered services bellCisco Canada
 

Recomendados

TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly CASCouncil
 
Decrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficDecrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficShain Singh
 
SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.Priyanka Aash
 
F5 Networks Adds To Oracle Database
F5 Networks Adds To Oracle DatabaseF5 Networks Adds To Oracle Database
F5 Networks Adds To Oracle DatabaseF5 Networks
 
Cisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your NetworkCisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your NetworkRobb Boyd
 
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010Priyanka Aash
 
IEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and Cloud
IEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and CloudIEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and Cloud
IEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and CloudPriyanka Aash
 
Meraki powered services bell
Meraki powered services bellMeraki powered services bell
Meraki powered services bellCisco Canada
 
Cisco Connect Toronto 2017 - Introducing the Network Intuitive
Cisco Connect Toronto 2017 - Introducing the Network IntuitiveCisco Connect Toronto 2017 - Introducing the Network Intuitive
Cisco Connect Toronto 2017 - Introducing the Network IntuitiveCisco Canada
 
(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN Security(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN SecurityPriyanka Aash
 
TechWiseTV Workshop: Nexus Data Broker
TechWiseTV Workshop: Nexus Data BrokerTechWiseTV Workshop: Nexus Data Broker
TechWiseTV Workshop: Nexus Data BrokerRobb Boyd
 
Shay - 2018 updated
Shay - 2018 updatedShay - 2018 updated
Shay - 2018 updatedNathan Shay
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewallmohannadalhanahnah
 
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Canada
 
Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecurityLancope, Inc.
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksPriyanka Aash
 
F5 EMEA Webinar Oct'15: http2 how to ease the transition
F5 EMEA Webinar Oct'15: http2 how to ease the transitionF5 EMEA Webinar Oct'15: http2 how to ease the transition
F5 EMEA Webinar Oct'15: http2 how to ease the transitionDmitry Tikhovich
 
Cisco Connect Toronto 2017 - Your time is now
Cisco Connect Toronto 2017 - Your time is nowCisco Connect Toronto 2017 - Your time is now
Cisco Connect Toronto 2017 - Your time is nowCisco Canada
 
CCNP Security-IPS
CCNP Security-IPSCCNP Security-IPS
CCNP Security-IPSmohannadalhanahnah
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 Lancope, Inc.
 
nana.owusu resume 3
nana.owusu resume 3nana.owusu resume 3
nana.owusu resume 3Nana Owusu
 
Ipv6
Ipv6 Ipv6
Ipv6 Akhila Madhushan
 
Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WAN
Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WANCisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WAN
Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WANCisco Canada
 
Cisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of AttackCisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of AttackCisco Canada
 
APIC EM APIs: a deep dive
APIC EM APIs: a deep diveAPIC EM APIs: a deep dive
APIC EM APIs: a deep diveCisco DevNet
 
The Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and LancopeThe Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and LancopeCisco Enterprise Networks
 
Application Visibility and Experience through Flexible Netflow
Application Visibility and Experience through Flexible NetflowApplication Visibility and Experience through Flexible Netflow
Application Visibility and Experience through Flexible NetflowCisco DevNet
 
CCNP Security-Secure
CCNP Security-SecureCCNP Security-Secure
CCNP Security-Securemohannadalhanahnah
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL PracticesBrian A. McHenry
 
BRKSEC-3771 - WSA with wccp.pdf
BRKSEC-3771 - WSA with wccp.pdfBRKSEC-3771 - WSA with wccp.pdf
BRKSEC-3771 - WSA with wccp.pdfMenakaDevi14
 

Mais conteúdo relacionado

Mais procurados

Cisco Connect Toronto 2017 - Introducing the Network Intuitive
Cisco Connect Toronto 2017 - Introducing the Network IntuitiveCisco Connect Toronto 2017 - Introducing the Network Intuitive
Cisco Connect Toronto 2017 - Introducing the Network IntuitiveCisco Canada
 
(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN Security(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN SecurityPriyanka Aash
 
TechWiseTV Workshop: Nexus Data Broker
TechWiseTV Workshop: Nexus Data BrokerTechWiseTV Workshop: Nexus Data Broker
TechWiseTV Workshop: Nexus Data BrokerRobb Boyd
 
Shay - 2018 updated
Shay - 2018 updatedShay - 2018 updated
Shay - 2018 updatedNathan Shay
 
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Canada
 
Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecurityLancope, Inc.
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksPriyanka Aash
 
F5 EMEA Webinar Oct'15: http2 how to ease the transition
F5 EMEA Webinar Oct'15: http2 how to ease the transitionF5 EMEA Webinar Oct'15: http2 how to ease the transition
F5 EMEA Webinar Oct'15: http2 how to ease the transitionDmitry Tikhovich
 
Cisco Connect Toronto 2017 - Your time is now
Cisco Connect Toronto 2017 - Your time is nowCisco Connect Toronto 2017 - Your time is now
Cisco Connect Toronto 2017 - Your time is nowCisco Canada
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 Lancope, Inc.
 
nana.owusu resume 3
nana.owusu resume 3nana.owusu resume 3
nana.owusu resume 3Nana Owusu
 
Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WAN
Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WANCisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WAN
Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WANCisco Canada
 
Cisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of AttackCisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of AttackCisco Canada
 
APIC EM APIs: a deep dive
APIC EM APIs: a deep diveAPIC EM APIs: a deep dive
APIC EM APIs: a deep diveCisco DevNet
 
Application Visibility and Experience through Flexible Netflow
Application Visibility and Experience through Flexible NetflowApplication Visibility and Experience through Flexible Netflow
Application Visibility and Experience through Flexible NetflowCisco DevNet
 

Mais procurados (20)

Cisco Connect Toronto 2017 - Introducing the Network Intuitive
Cisco Connect Toronto 2017 - Introducing the Network IntuitiveCisco Connect Toronto 2017 - Introducing the Network Intuitive
Cisco Connect Toronto 2017 - Introducing the Network Intuitive
 
(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN Security(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN Security
 
TechWiseTV Workshop: Nexus Data Broker
TechWiseTV Workshop: Nexus Data BrokerTechWiseTV Workshop: Nexus Data Broker
TechWiseTV Workshop: Nexus Data Broker
 
Shay - 2018 updated
Shay - 2018 updatedShay - 2018 updated
Shay - 2018 updated
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewall
 
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attack
 
Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective Security
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne Cyberattacks
 
F5 EMEA Webinar Oct'15: http2 how to ease the transition
F5 EMEA Webinar Oct'15: http2 how to ease the transitionF5 EMEA Webinar Oct'15: http2 how to ease the transition
F5 EMEA Webinar Oct'15: http2 how to ease the transition
 
Cisco Connect Toronto 2017 - Your time is now
Cisco Connect Toronto 2017 - Your time is nowCisco Connect Toronto 2017 - Your time is now
Cisco Connect Toronto 2017 - Your time is now
 
CCNP Security-IPS
CCNP Security-IPSCCNP Security-IPS
CCNP Security-IPS
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5
 
nana.owusu resume 3
nana.owusu resume 3nana.owusu resume 3
nana.owusu resume 3
 
Ipv6
Ipv6 Ipv6
Ipv6
 
Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WAN
Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WANCisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WAN
Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WAN
 
Cisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of AttackCisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of Attack
 
APIC EM APIs: a deep dive
APIC EM APIs: a deep diveAPIC EM APIs: a deep dive
APIC EM APIs: a deep dive
 
The Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and LancopeThe Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and Lancope
 
Application Visibility and Experience through Flexible Netflow
Application Visibility and Experience through Flexible NetflowApplication Visibility and Experience through Flexible Netflow
Application Visibility and Experience through Flexible Netflow
 
CCNP Security-Secure
CCNP Security-SecureCCNP Security-Secure
CCNP Security-Secure
 

Semelhante a Symantec’s View of the Current State of ECDSA on the Web

BRKSEC-3771 - WSA with wccp.pdf
BRKSEC-3771 - WSA with wccp.pdfBRKSEC-3771 - WSA with wccp.pdf
BRKSEC-3771 - WSA with wccp.pdfMenakaDevi14
 
Představení Oracle SPARC Miniclusteru
Představení Oracle SPARC MiniclusteruPředstavení Oracle SPARC Miniclusteru
Představení Oracle SPARC MiniclusteruMarketingArrowECS_CZ
 
Cisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Digital Network Architecture - Introducing the Network IntuitiveCisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Digital Network Architecture - Introducing the Network IntuitiveCisco Canada
 
Enterprise Networks - Cisco Digital Network Architecture - Introducing the Ne...
Enterprise Networks - Cisco Digital Network Architecture - Introducing the Ne...Enterprise Networks - Cisco Digital Network Architecture - Introducing the Ne...
Enterprise Networks - Cisco Digital Network Architecture - Introducing the Ne...Cisco Canada
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL ProcessRocket Software
 
Cisco Connect Halifax 2018 Cisco dna - deeper dive
Cisco Connect Halifax 2018 Cisco dna - deeper diveCisco Connect Halifax 2018 Cisco dna - deeper dive
Cisco Connect Halifax 2018 Cisco dna - deeper diveCisco Canada
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsERPScan
 
cisco csr1000v
cisco csr1000vcisco csr1000v
cisco csr1000vMing914298
 
Cisco Connect 2018 Singapore - Cisco Software Defined Access
Cisco Connect 2018 Singapore - Cisco Software Defined AccessCisco Connect 2018 Singapore - Cisco Software Defined Access
Cisco Connect 2018 Singapore - Cisco Software Defined AccessNetworkCollaborators
 
Deploying Secure Converged Wired, Wireless Campus
Deploying Secure Converged Wired, Wireless CampusDeploying Secure Converged Wired, Wireless Campus
Deploying Secure Converged Wired, Wireless CampusRassul Ismailov
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data CenterCisco Canada
 
L'azienda è più agile? Tutto merito del Data Center
L'azienda è più agile? Tutto merito del Data Center L'azienda è più agile? Tutto merito del Data Center
L'azienda è più agile? Tutto merito del Data Center SMAU
 
Cisco Digital Network Architecture – Deeper Dive, “From the Gates to the GUI
Cisco Digital Network Architecture – Deeper Dive, “From the Gates to the GUICisco Digital Network Architecture – Deeper Dive, “From the Gates to the GUI
Cisco Digital Network Architecture – Deeper Dive, “From the Gates to the GUICisco Canada
 
Cisco Digital Network Architecture Deeper Dive From The Gates To The Gui
Cisco Digital Network Architecture Deeper Dive From The Gates To The GuiCisco Digital Network Architecture Deeper Dive From The Gates To The Gui
Cisco Digital Network Architecture Deeper Dive From The Gates To The GuiCisco Canada
 
Mastering the move
Mastering the moveMastering the move
Mastering the moveTrivadis
 
operational-telecom-network-connected-pipeline-design-guide.pdf
operational-telecom-network-connected-pipeline-design-guide.pdfoperational-telecom-network-connected-pipeline-design-guide.pdf
operational-telecom-network-connected-pipeline-design-guide.pdfVishalKashyap15069
 
Cisco Connect Ottawa 2018 dna assurance shortest path to network innocence
Cisco Connect Ottawa 2018 dna assurance shortest path to network innocenceCisco Connect Ottawa 2018 dna assurance shortest path to network innocence
Cisco Connect Ottawa 2018 dna assurance shortest path to network innocenceCisco Canada
 

Semelhante a Symantec’s View of the Current State of ECDSA on the Web (20)

F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
BRKSEC-3771 - WSA with wccp.pdf
BRKSEC-3771 - WSA with wccp.pdfBRKSEC-3771 - WSA with wccp.pdf
BRKSEC-3771 - WSA with wccp.pdf
 
Představení Oracle SPARC Miniclusteru
Představení Oracle SPARC MiniclusteruPředstavení Oracle SPARC Miniclusteru
Představení Oracle SPARC Miniclusteru
 
Cisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Digital Network Architecture - Introducing the Network IntuitiveCisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Digital Network Architecture - Introducing the Network Intuitive
 
Enterprise Networks - Cisco Digital Network Architecture - Introducing the Ne...
Enterprise Networks - Cisco Digital Network Architecture - Introducing the Ne...Enterprise Networks - Cisco Digital Network Architecture - Introducing the Ne...
Enterprise Networks - Cisco Digital Network Architecture - Introducing the Ne...
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL Process
 
Cisco Connect Halifax 2018 Cisco dna - deeper dive
Cisco Connect Halifax 2018 Cisco dna - deeper diveCisco Connect Halifax 2018 Cisco dna - deeper dive
Cisco Connect Halifax 2018 Cisco dna - deeper dive
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platforms
 
CCNP Security-VPN
CCNP Security-VPNCCNP Security-VPN
CCNP Security-VPN
 
cisco csr1000v
cisco csr1000vcisco csr1000v
cisco csr1000v
 
Cisco Connect 2018 Singapore - Cisco Software Defined Access
Cisco Connect 2018 Singapore - Cisco Software Defined AccessCisco Connect 2018 Singapore - Cisco Software Defined Access
Cisco Connect 2018 Singapore - Cisco Software Defined Access
 
Deploying Secure Converged Wired, Wireless Campus
Deploying Secure Converged Wired, Wireless CampusDeploying Secure Converged Wired, Wireless Campus
Deploying Secure Converged Wired, Wireless Campus
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data Center
 
L'azienda è più agile? Tutto merito del Data Center
L'azienda è più agile? Tutto merito del Data Center L'azienda è più agile? Tutto merito del Data Center
L'azienda è più agile? Tutto merito del Data Center
 
Cisco Digital Network Architecture – Deeper Dive, “From the Gates to the GUI
Cisco Digital Network Architecture – Deeper Dive, “From the Gates to the GUICisco Digital Network Architecture – Deeper Dive, “From the Gates to the GUI
Cisco Digital Network Architecture – Deeper Dive, “From the Gates to the GUI
 
Cisco Digital Network Architecture Deeper Dive From The Gates To The Gui
Cisco Digital Network Architecture Deeper Dive From The Gates To The GuiCisco Digital Network Architecture Deeper Dive From The Gates To The Gui
Cisco Digital Network Architecture Deeper Dive From The Gates To The Gui
 
Mastering the move
Mastering the moveMastering the move
Mastering the move
 
operational-telecom-network-connected-pipeline-design-guide.pdf
operational-telecom-network-connected-pipeline-design-guide.pdfoperational-telecom-network-connected-pipeline-design-guide.pdf
operational-telecom-network-connected-pipeline-design-guide.pdf
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
Cisco Connect Ottawa 2018 dna assurance shortest path to network innocence
Cisco Connect Ottawa 2018 dna assurance shortest path to network innocenceCisco Connect Ottawa 2018 dna assurance shortest path to network innocence
Cisco Connect Ottawa 2018 dna assurance shortest path to network innocence
 

Mais de CASCouncil

100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017CASCouncil
 
Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastCASCouncil
 
What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?CASCouncil
 
Payments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowPayments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowCASCouncil
 
2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor RollCASCouncil
 
CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CASCouncil
 
Update on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumUpdate on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumCASCouncil
 
Extended Validation Builds Trust
Extended Validation Builds TrustExtended Validation Builds Trust
Extended Validation Builds TrustCASCouncil
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetCASCouncil
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebCASCouncil
 
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements CASCouncil
 
State of the Web
State of the WebState of the Web
State of the WebCASCouncil
 
Trust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory ProcessesTrust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory ProcessesCASCouncil
 
Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!CASCouncil
 
CAs And The New Paradigm Shift
CAs And The New Paradigm ShiftCAs And The New Paradigm Shift
CAs And The New Paradigm ShiftCASCouncil
 
CA Self Regulation
CA Self RegulationCA Self Regulation
CA Self RegulationCASCouncil
 
New Window of Opportunity
New Window of OpportunityNew Window of Opportunity
New Window of OpportunityCASCouncil
 
Nation-State Attacks On PKI
Nation-State Attacks On PKI Nation-State Attacks On PKI
Nation-State Attacks On PKI CASCouncil
 

Mais de CASCouncil (20)

100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
 
Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the Past
 
What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?
 
Payments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to knowPayments Security – Vital Information all Payment Processors need to know
Payments Security – Vital Information all Payment Processors need to know
 
2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll
 
CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security
 
Update on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumUpdate on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser Forum
 
Extended Validation Builds Trust
Extended Validation Builds TrustExtended Validation Builds Trust
Extended Validation Builds Trust
 
CA Day 2014
CA Day 2014 CA Day 2014
CA Day 2014
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure Web
 
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
 
State of the Web
State of the WebState of the Web
State of the Web
 
Trust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory ProcessesTrust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory Processes
 
Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!
 
CAs And The New Paradigm Shift
CAs And The New Paradigm ShiftCAs And The New Paradigm Shift
CAs And The New Paradigm Shift
 
CA Self Regulation
CA Self RegulationCA Self Regulation
CA Self Regulation
 
New Window of Opportunity
New Window of OpportunityNew Window of Opportunity
New Window of Opportunity
 
Nation-State Attacks On PKI
Nation-State Attacks On PKI Nation-State Attacks On PKI
Nation-State Attacks On PKI
 

Último

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 

Último (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

Symantec’s View of the Current State of ECDSA on the Web

  • 1. Symantec’s View of the Current State of ECDSA on theWeb Rick Andrews Senior Technical Director and Distinguished Engineer
  • 2. Agenda 1 Curves used in current practice 2 Market Penetration 3 Why customers use ECDSA 4 Why customers don’t use ECDSA 5 Impact of new ECC curves Copyright © 2015 Symantec Corporation 2
  • 3. Curves in Current Practice for Web-based TLS • NSA published Suite B; adopted by NIST – https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml • Only NIST-recommended curves have been used in practice for SSL/TLS certificates – IETF published “ECC Cipher Suites for TLS” • http://www.ietf.org/rfc/rfc4492.txt • Defined Supported Elliptic Curves Extension – IETF published “Suite B Certificate and Certificate Revocation List (CRL) Profile” • http://tools.ietf.org/html/rfc5759 – IETF published “Suite B Profile for TLS” • http://tools.ietf.org/html/rfc6460 • Restricts TLS to use P-256, P-384 (not P-521) • Most roots in browsers’ trust stores are P-384 Copyright © 2015 Symantec Corporation 3
  • 4. Browser/OS Support for ECDSA and Roots • Mozilla Firefox browser (since 3.6.28, NSS 3.11) trusts 11 ECC roots (10 P-384, 1 P-256) – https://wiki.mozilla.org/CA:IncludedCAs – https://bugzilla.mozilla.org/show_bug.cgi?id=195135 – Platform independent • Safari browser depends on platform - Mac OS X (since 10.9.1) and iOS (since 7) trust 13 ECC roots (12 P-384, 1 P-256) – http://support.apple.com/kb/HT6005 – http://support.apple.com/kb/HT5012 • IE (since Vista) / Windows Phone 8 trusts 14 ECC roots (13 P-384, 1 P-256) – http://social.technet.microsoft.com/wiki/contents/articles/14215.windows-and- windows-phone-8-ssl-root-certificate-program-member-cas.aspx Copyright © 2015 Symantec Corporation 4
  • 5. Browser/OS Support for ECDSA and Roots • Android (since 3.x) trusts 6 ECC roots – https://bluebox.com/blog/technical/questioning-the-chain-of-trust-investigations- into-the-root-certificates-on-mobile-devices/ • Desktop Chrome and Opera (Chromium) use platform crypto and trusted root store – Except on Linux, where the browser includes Mozilla’s NSS trust store. • Blackberry (since 5.0) Copyright © 2015 Symantec Corporation 5
  • 6. Curves Supported in Mozilla NSS Copyright © 2015 Symantec Corporation 6 NIST_P192 NIST_P224 NIST_P256 NIST_P384 NIST_P521 NIST_K163 NIST_B163 NIST_K233 NIST_B233 NIST_K283 NIST_B283 NIST_K409 NIST_B409 NIST_K571 NIST_B571 http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/freebl/ecl/ecl-curve.h&rev=1.7&root=/cvsroot Unclear if each curve can be used for ECDSA and/or ECDH(E) X9_62_PRIME_192V2 X9_62_PRIME_192V3 X9_62_PRIME_239V1 X9_62_PRIME_239V2 X9_62_PRIME_239V3 X9_62_CHAR2_PNB163V1 X9_62_CHAR2_PNB163V2 X9_62_CHAR2_PNB163V3 X9_62_CHAR2_PNB176V1 X9_62_CHAR2_TNB191V1 X9_62_CHAR2_TNB191V2 X9_62_CHAR2_TNB191V3 X9_62_CHAR2_PNB208W1 X9_62_CHAR2_TNB239V1 X9_62_CHAR2_TNB239V2 X9_62_CHAR2_TNB239V3 X9_62_CHAR2_PNB272W1 X9_62_CHAR2_PNB304W1 X9_62_CHAR2_TNB359V1 X9_62_CHAR2_PNB368W1 X9_62_CHAR2_TNB431R1 SECG_PRIME_112R1 SECG_PRIME_112R2 SECG_PRIME_128R1 SECG_PRIME_128R2 SECG_PRIME_160K1 SECG_PRIME_160R1 SECG_PRIME_160R2 SECG_PRIME_192K1 SECG_PRIME_224K1 SECG_PRIME_256K1 SECG_CHAR2_113R1 SECG_CHAR2_113R2 SECG_CHAR2_131R1 SECG_CHAR2_131R2 SECG_CHAR2_163R1 SECG_CHAR2_193R1 SECG_CHAR2_193R2 SECG_CHAR2_239K1 WTLS_1 WTLS_8 WTLS_9
  • 7. Curves Supported in Web Server Software • Microsoft Windows Server 2008; partial support – Can’t generate ECC CSR but can work with imported key and certificate – https://msdn.microsoft.com/en- us/library/windows/desktop/bb204775%28v=vs.85%29.aspx • Apache, nginx with latest OpenSSL • Oracle JRE/JDK 1.7 or newer • F5 11.5 or newer • IBM z/OS V1R13 or newer • CloudFlare (CDN) supports ECC Copyright © 2015 Symantec Corporation 7
  • 8. Curves Supported in Other Web Software • OpenSSL (since 1.0) – P-224 P-256 P-384 P-521 – B-233 B-283 B-409 B-571 – K-233 K-283 K-409 K-571 – http://csrc.nist.gov/groups/STM/cavp/documents/dss/ecdsahistoricalv al.html • Boring SSL (used in Google Chrome) supports P-224, P-256, P-384, P-521 – https://boringssl.googlesource.com/boringssl/+/master/crypto/ec/ec.c • GnuTLS supports P-192, P-224, P-256, P-384 and P-521 – http://gnutls.org/manual/gnutls.html Copyright © 2015 Symantec Corporation 8
  • 9. Curves Supported in Other Web Software • Java JCE Providers (since Java 6) must support – sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1 – secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, secp256r1, secp384r1, secp521r1 – From http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders .html and http://www.ietf.org/rfc/rfc4492.txt • BouncyCastle (since 1.32) supports SEC/NIST curves – http://www.bouncycastle.org/releasenotes.html • Mac OS X and iOS support P-192, P-224, P-256, P-384, P-521 – http://csrc.nist.gov/groups/STM/cmvp/documents/140- 1/140sp/140sp2021.pdf Copyright © 2015 Symantec Corporation 9
  • 10. Certification Authorities that offer ECDSA certs • Symantec (includes VeriSign/GeoTrust/Thawte roots) • GlobalSign • Entrust • DigiCert • Comodo (includes USERTrust roots) • Trend Micro (includes AffirmTrust roots) • These CAs issue 67% of the world’s public SSL certificates, according to Netcraft Copyright © 2015 Symantec Corporation 10
  • 11. Market Penetration • Rough estimates of the number of deployed ECDSA SSL certificates: – Netcraft’s scans show 1.96% of all public SSL certificates are ECDSA • Data available by subscription only – ICSI Certificate Notary says that 2.1% of the certificates it sees are ECDSA • http://notary.icsi.berkeley.edu – Majority of ECDSA certs are hosted by CloudFlare as part of their Universal SSL initiative • https://blog.cloudflare.com/introducing-universal-ssl/ – Most Symantec ECDSA customers are from the US, but interest is broadly distributed around the world (Europe, Africa, Middle East, Australia, Asia) • We see some demand in non-Web (device) IoT market Copyright © 2015 Symantec Corporation 11
  • 12. Why Customers Choose ECDSA Certificates • Forward-thinking – want to experiment with alternatives to RSA • Symantec’s performance analysis showed significant server performance gains for P-256 over RSA 2048 – https://www.symantec.com/page.jsp?id=elliptic-curve-cryptography • Research demonstrated significant performance advantage of ECDSA/ECDHE over RSA/DH (PFS for free) – http://w2spconf.com/2014/papers/TLS.pdf Copyright © 2015 Symantec Corporation 12
  • 13. What is holding back the market for ECDSA certs? • Legal/IP concerns were not allayed by the 2003 NSA-Certicom license • Distrust in Suite B curve choices after Snowden, especially in Europe • Lack of client support (Windows XP and non-traditional devices like smart TVs and Japanese feature phones) • RSA isn’t broken; risk of trying new algorithm; general lack of awareness • Lack of dual-stack support in web servers (except Apache – see http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#comment_970) • Clients supporting ECDHE may not have ECDSA root; difficult for servers to know • ECDSA root may not be EV-enabled • Client-side performance penalty (ECDSA slower than RSA for signature verification for commonly-used key sizes) • “Heard there was some technical problem with ECDSA” – (if a cryptographically secure random integer is not selected, the private key can be determined) Copyright © 2015 Symantec Corporation 13
  • 14. Impact of New Curves • Impact will likely be muted if IP issues are not cleared up • CAs need support in their HSMs and software toolkits • CAs will most likely sign keys from new curves using existing P- 256 or P-384 roots, to avoid delay of deploying roots using new curves – Signing with existing RSA roots or intermediates carries IP risk, but mitigates root ubiquity issue • Even though CAs may not initially create intermediate CA certs with new curves, we need to perform Proof of Possession of key. Usually done by checking signature on CSR, requiring support of new key curve in the CA’s HSMs and software toolkits. • Browser and web server vendors must support new curves Copyright © 2015 Symantec Corporation 14
  • 15. Thank you! Copyright © 2015 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Rick Andrews rick_andrews@symantec.com 650-527-9506