Technical Support Matrixlp.adwebtech.com/cic/SymantechGuide.pdf · Authorities should not issue any...

Technical SupportMatrix

Specialist PartnerWebsite SecurityWebsite Security

Platinum PartnerWe Mean e-Businessreg

Enhancing Website Securitywith Algorithm Agility

ENH

AN

CIN

G W

EBS

ITE SEC

UR

ITY

WITH

ALG

OR

ITHM

AG

ILITY

Enhancing Website Security with Algorithm Agility

White Paper



Contents

Introduction 3

Encryption Today 3

How Algorithms are Changing 4

A Closer Look at the New Algorithms 5

Digital Signature Algorithm (DSA) 5

Elliptic Curve Cryptography (ECC) 5

Algorithm Agility mdash Choosing the Right Algorithm for your Needs 6

Next Steps 7

Conclusion 7


Introduction

Business owners require flexibility and scalability in their efforts to build trust

and protect online sites and transactions from Hackers Hackers are constantly

developing more sophisticated methods to breach security protections and inflict

damage on a business or its customers

Responsible business owners have long known to protect their online presence

through the use of SSL certificates provided by trusted third party Certification

Authorities (CA) The use of an SSL certificate allows authentication of the web

server the transmission of sensitive information and a recognized and trusted sign

of security to customers SSL Certificates have traditionally relied on encryption

using public and private keys based on the RSA algorithm While these keys remain

secure increasing threats from ever more powerful computers prompted the

National Institute of Standards and Technology (NIST) among others to call for

additional strengthening of online encryption1

With this need for additional security in mind and to ensure that business owners

can customize their protection to the needs of their business Symantec the

most trusted name in SSL Certification2 has introduced algorithm agility as part

of its SSL certification process This means businesses now have the ability to

choose between certificates that provide protection based on the RSA algorithm

on two alternative algorithms ECC and DSA or to generate certificates for all

three to install on a server This flexibility allows business owners to provide a

broader array of encryption options for different circumstances infrastructure and

customer or partner groups

This paper examines algorithm agility how it fits into the current and evolving

security landscape and how your business can enhance online security through a

more flexible scalable approach to SSL certification

Encryption Today

Transport Layer Security (TLS) and its predecessor Secure Socket Layer (SSL)

protocols remains the industry standard for website authentication and protecting

information in transit Used by websites and browsers TLS allows for the

authentication compression and encryption of data passing between a client (end

user) and a server ensuring that hackers cannot access data while it is being sent

Users know that they are accessing a website or page protected by TLS when ldquohttprdquo

in the address line is replaced with ldquohttpsrdquo and a small padlock appears in the

status bar Such secure pages require the use of SSL certification to enable the

encryption of information that is transmitted to or from a secure web server The

vast majority of SSL certificates today rely on keys generated by and signed with

the RSA algorithm

The RSA algorithm remains an effective encryption option However the length of

the keys will continue to grow exponentially Online communities have noted the

ability of hackers using powerful computers to potentially crack keys approaching

1 httpcsrcnistgovpublicationsnistpubs800-131Asp800-131Apdf2 Symantec US Online Consumer Study February 2011


1024 bits NIST has therefore recommended that by the end of 2013 Certificate

Authorities should not issue any new SSLTLS certificates with RSA public key sizes

smaller than 2048 bits3

At the same time alternative algorithms for encryption and signing have been

adopted by the federal government which has issued guidelines based on Elliptic

Curve Cryptography (ECC) and Digital Signature Algorithms (DSA)4 Already binding

on the Federal Government the new NIST Suite B guidelines and recommendations

are also usually adopted as best practices by commercial businesses

Certificates signed with the RSA algorithm have been in widespread use for many

years but algorithm agility based on the NIST guidelines allows businesses to

choose to implement certificates signed with three different algorithms RSA DSA

and ECC The design of TLS allows different algorithms to work either alone or

side by side so with algorithm agility business owners can choose the public key

algorithm or combination of algorithms that works best for their online presence

and infrastructure

How Algorithms are Changing

While all three public key cryptography systems are secure efficient and

commercially viable they differ in the kind of mathematical problem on which

they are based Not only does this affect how vulnerable they are to brute force

attacks often used by hackers but it can also lead to differences in the size of

the keys generated by the algorithm to provide a certain level of security NIST

provides guidelines for minimum sizes of the different keys according to the level

of security required

Minimum size (bits) of

Public Keys

Key Size

Ratio

Protection

from

Security (bits) DSA RSA ECC ECC to RSADSA Attack

80 1024 1024 160-223 16 Until 2010

112 2048 2048 224-255 19 Until 2030

128 3072 3072 256-383 112 Beyond 2031

192 7680 7680 384-511 120

256 15360 15360 512+ 130

Table 1 National Institute of Standards and Technology Guidelines for Public-Key Sizes

The chart above clearly shows that the size of RSA and DSA keys grows at a

much faster rate than those based on ECC when faced with increasing security

requirements This is important because longer keys require more storage space

more bandwidth to transmit and potentially more processor power and time to

generate the keys encrypt and decrypt with them

3 httpcsrcnistgovpublicationsnistpubs800-131Asp800-131Apdf4 httpcsrcnistgovpublicationsfipsfips186-3fips_186-3pdf


The RSA algorithm is and is likely to continue to be widely used for some time

and for most TLS Certificates RSA will remain the algorithm of choice for Web

transactions However as security demands increase and use of mobile devices

continues to expand there is a growing need for a more flexible encryption

landscape where business owners can customize the kind of protection they get to

the needs scale and technological configurations of their particular businesses

An increasing number of tablets smart phones and other mobile devices are

driving more traffic onto the web This is great for business but can present

a challenge for the number of total simultaneous connections to a single site

Algorithm agility can provide a scalable solution without sacrificing security

A Closer Look at the New Algorithms

If the options for encryption are expanding what changes are made to the levels

of protection available to businesses and how will algorithm agility the ability to

choose between three different algorithms affect SSL certification

First letrsquos take a closer look at the algorithms

Digital Signature Algorithm (DSA)

DSA is a discrete logarithm system It was developed by the National Security

Agency in 1991 as an alternative to RSA and is the federal standard for digital

signature5 The DSA algorithm provides the same level of protection and

performance as the RSA algorithm for similar key sizes but uses a different

mathematical algorithm for signing and the detection of any alteration to a

transmitted message

Although key sizes are identical to RSA key generation and digital signature using

DSA is faster Key verification is slightly slower

DSA is also compatible with most servers and because it is already a federal

standard using an SSL certificate that supports DSA makes it easier for businesses

to meet the requirements of government contracts

Elliptic Curve Cryptography (ECC)

The NIST Suite B recommendation that Certificate Authorities increase the

minimum key size associated with RSA supported SSL certificates demonstrates

that increasingly sophisticated security threats will drive the requirement for ever

larger RSA keys As Table 1 shows above at a certain point the RSA key size for the

security required simply becomes unwieldy increasing the amount of computing

power bandwidth for transmission and time required for the encryption and

decryption operation Itrsquos still secure but less efficient

Unlike RSA and DSA ECC algorithms are based on elliptic curves over finite fields a

much more difficult mathematical problem for hackers to attack using simple brute

force methods Using RSA and DSA algorithms the defining factor for how secure

the encryption can be is key length

5 httpcsrcnistgovpublicationsfipsfips186-3fips_186-3pdf


With ECC the nature of the mathematical problem at its core means that as key

size increases its decryption operations become more difficult at a faster rate than

those of RSA This means that a shorter ECC key is more difficult for a hacker to

break than the same length of RSA key and can provide the same or better security

coverage than a much longer RSA key Key sizes for ECC increase linearly instead of

exponentially so as guidelines change their efficiency increases

Algorithm Agility mdash Choosing the Right Algorithm for your Needs

While ECC is already embraced by federal agencies ECC is not ubiquitous in

terms of adoption allowance and availability across all browsers and servers For

businesses this means that ECC may not if used as the only encryption algorithm

be the right solution for your particular mix of hardware and devices

When looking at the customer side ECC is a relatively new technology for mobile

and browsers so it may not yet be easily available to all of your customers If the

customer device or browser does not support a particular algorithm that customer

may not be able to complete a transaction This means that ECC by itself may

not be the best choice for the SSL certificate for by example a retail site where

customers need to feel confident that they can make purchases easily and securely

However a business using multiple certificates DSA and RSA ECC and RSA or all

three at once increases their coverage

Several factors will help you decide which algorithm or combination of algorithms

in your SSL certificate best meets the needs of your business While it is highly

likely that RSA will continue to be used for some time algorithm agility opens up

new options The option to choose SSL certification based on different algorithms

allows business owners to extend their online security easily meet the needs of

government clients and partners and tailor security protection to their business

requirements in a way that has not previously been possible

The first factor for business owners or IT managers to consider is the organizationrsquos

current Web server standards Some web servers can handle RSA DSA or ECC

and can be configured to use all three types of certificate for one domain name

on a single Web server Others can handle RSA or ECC but are limited to only one

certificate per Web server

TLS is also used for encryption between email servers and other services and

the internal tools scaling and architecture for these services would need to be

considered

Second is the tradeoff in speed of authentication between the algorithm types

RSA is faster on the client side of authentication and ECC is faster on the server

side RSA signatures also can be verified faster than ECC signatures The usage

of each key type will depend greatly on the type of transaction intended Factors

to consider here include the processing power of the end device storage space

bandwidth power consumption and how widely the algorithm is adopted by your

customers and their client devices or browsers


The number of expected connections may also play a factor in decision making

Depending on web server configuration servers may be able to handle more

concurrent connections with an ECC certificate than an RSA certificate An

organization must consider their needed balance between safety user experience

and IT costs in network processing

The last consideration is the identity of your customers or partners DSA and ECC

are embraced by many government agencies and may be required in interactions

with them This could include government contracts and sub-contracts and

information exchanges with governmental branch entities

In a best case scenario an organization would be able to install all three

certificates on their transaction server Configured properly a server could then

accept any request from an end point avoiding risk and providing 100 client

coverage

Next Steps

In order for customers to truly realize all of the benefits of the enhanced security

offered by new algorithms DSA and ECC support will have to become more

widespread especially in the mobile environment that is processing more and

more of our daily online life

This may also lead to changes in the visual cues we are accustomed to on web

browsers As yet there is no standard for mobile or tablet browsers equivalent to

the trusted HTTPS and padlock indicators as well as the Extended Validation green

bar we now see on web browsers

In the meantime Symantecrsquos algorithm agility approach provides businesses with

an easy and effective transition Symantec customers now have the option to

choose SSL certificates that use both the traditional RSA algorithm and either DSA

or ECC algorithms for enhanced security

Conclusion

Security demands will increase and hacker attempts will become more

sophisticated and powerful but security measures are improving alongside the

threats Algorithm agility will be of increasing value to businesses allowing owners

and IT departments the flexibility and scalability they need to tailor protection to

the needs of their customers and their businesses

Symantec has made it easy to get started Our popular SSL certificates now include

DSA or ECC algorithms alongside the standard RSA algorithms Integrating the new

algorithms into SSL certificate products provides a convenient way for businesses

to improve and enhance their online security in partnership with the most trusted

Certificate Authority in the world


More Information

Visit our website

httpgosymanteccomssl-certificates

To speak with a Product Specialist in the US

Call toll-free 1(866) 893-6565 or 1(650) 426-5112

To speak with a Product Specialist outside the US

For specific country offices and contact numbers please visit our website

About Symantec

Symantec is a global leader in providing security storage and systems

management solutions to help consumers and organizations secure and manage

their information-driven world Our software and services protect against more

risks at more points more completely and efficiently enabling confidence

wherever information is used or stored

Symantec Corporation World Headquarters

350 Ellis Street

Mountain View CA 94043 USA

1 (866) 893 6565

wwwsymanteccom

Copyright copy 2013 Symantec Corporation All rights reserved Symantec the Symantec Logo and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates inthe US and other countries VeriSign and other related marks are the trademarks or registered trademarks of VeriSign Inc or its affiliates or subsidiaries in the US and other countries and licensed toSymantec Corporation Other names may be trademarks of their respective owners

Adweb Technologies Pvt LtdHead Office

3093 Shree Krishna Commercial Centre 6 Udyog Nagar Off SV Road Goregaon West Mumbai 400062IndiaTelephone (+9122) 42978084

Branch Office

Level 15 Eros Corporate Tower Nehru Place New DelhiIndia ndash 110019 Telephone +91 11 6615 5362

Emailsupportadwebtechcom | visit httpsssladwebtechcom

SymantecTM Managed PKI for SSL

Businesses and organizations of all kinds rely on websites intranets and extranets to exchange confidential information and enable eCommerce For businesses protecting intellectual property as well as customer data in transit is a top priority Just as important consumers need to know that they can trust their online transactions

Secure Sockets Layer (SSL) certificates are used to verify the legitimacy of websites and to encrypt information in transit Managing certificates can be challenging when servers are deployed across various divisions and locations Complexity increases as an organization expands its SSL certificate inventory to keep pace with growth A centralized and flexible solution is needed to simplify the comprehensive management of SSL certificates across the enterprise

Gaining unmatched confidence from a comprehensive solution Symantectrade Managed PKI (MPKI) for SSL cloud-based management console provides centralized control and delegated administration of all your Symantec SSL and code-signing certificates Extended Validation (EV) and premium certificates include vulnerability assessments and malware scanning to assist in website protection MPKI for SSL is ideal for a large enterprise that needs to deploy and manage large numbers of SSL certificates

Symantectrade Managed PKI for SSL

Key Features and Benefits

Features

bull Capacity to manage thousands of SSL and code-signing certificates

bull Cloud-based console for easy and rapid deployment

bull Delegated administration and role-based access for security and control

bull Instant issuance of certificates on pre-approved domains for rapid response to business needs

bull Option to choose from three different encryption algorithmsmdashRSA ECC and DSA

bull Detailed reports and audit trails for accountability and compliance verification

bull Award-winning support for resolution of issues

Benefits

bull Inspire trust and confidence in customers and stakeholders

bull Select the vendor chosen by 94 of the 100 largest financial institutions worldwide

bull Keep pace with business growth while increasing operational efficiency

Datasheet Symantectrade Managed PKI for SSL

Symantec MPKI for SSL facilitates centralized control and comprehensive lifecycle

management of Symantec SSL and code-signing certificates across the enterprise


Protecting data in transit Symantec MPKI for SSL supports a full range of code-signing products and SSL certificates including the following

bull Extended Validation SSL

bull Subject Alternative Name (SAN)

bull Wildcard SSL

bull Intranet certificates

Full algorithm agilityIn addition to the RSA algorithm Symantec MPKI for SSL supports two newly introduced encryption algorithms mdash Elliptic Curve Cryptography (ECC) and Digital

Signature Algorithm (DSA)mdashfor full algorithm agility

Managing SSL certificates in heterogeneous environments Symantec Certificate Intelligence Center (CIC) an add-on option with MPKI for SSL enables advance discovery of all SSL certificates across multiple Certification Authorities (CA)

bull Gain complete visibility into all SSL certificates across your enterprise regardless of the issuing CA

bull Maintain business continuity and prevent unknown certificate expirations by identifying rogue certificates and bringing them under management

bull Increase efficiency with a cloud-based service

Issuing and tracking private intranet certificatesSymantec Private Certification Authority (CA) is a cost-effective solution to improve the security and management of private intranet certificates while adhering to corporate and industry compliance standards

bull Consolidate the management of public and private certificates

bull Bring an end to unexpected expirations with superior visibility on a single console

bull Avoid the errors and hidden costs often associated with self-signed certificates

bull Maintain compliance by issuing certificates without concern of changing regulations affecting SSL certificates chained to public roots

bull Mitigate security risks by separating roles and responsibilities between administrators and requestors

bull Leverage the validation infrastructure with 100 percent uptime since 2004

bull Take advantage of the robust infrastructure that supports an average of 6 billion Online Certificate Status Protocol (OCSP) lookups every day

bull Manage and control the deployment of SSL certificates and website protection services from a central console

bull Manage the complete SSL certificate lifecycle with delegated administration role-based access and instant issuance of certificates

bull Get up to 24x7 technical assistance with our award-winning support team

Includes Symantec subsidiaries affiliates and resellers (based on Forbes Global 2000 list 2013 and internal customer analysis July 2013)


Copyright copy 2014 Symantec Corporation All rights reserved Symantec the Symantec Logo and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the US and other countries Other names may be trademarks of their respective owners

Going beyond SSL with trust services and information protection MPKI for SSL offers a broad range of additional service options all in a single solution

bull Activate an assessment to identify critical vulnerabilities on your website

bull Scan for malware to avoid propagation of viruses to customersrsquo systems

bull Turn on Symantec Seal-in-Search to increase traffic to your site

Leveraging award-winning supportSymantec provides support that will help ensure your business continuity Support is based on annual subscription with different offerings to meet your needs

Learn MoreTo learn more contact a Symantec sales representative at +1 (650) 426-5112 option3 send an email to SSL_EnterpriseSales_NAsymanteccom or visit our website at http gosymanteccommanaged-pki-for-ssl

To speak with a product specialist in the United States call +1 (866) 893-6565 or +1 (650) 426-5112 To speak with a product specialist outside the United States visit our website for specific country offices and contact numbers

About SymantecSymantec is a global leader in providing security storage and systems management solutions to help consumers and organizations secure and manage their information-driven world Our software and services protect against more risks at more points more completely and efficiently enabling confidence wherever information is used or stored

Symantec Corporation world headquarters350 Ellis StreetMountain View CA 94043 USA+1 (866) 893-6565

wwwsymanteccom

UID 2260714

For more information

AdwebTechnologies Pvt Ltd

Head Office

3093 Shree Krishna Commercial Centre 6 Udyog Nagar Off SV Road Goregaon West Mumbai 400062India

Branch Office


Emailsupportadwebtechcom httpsssladwebtechcom

Adweb Technologies Pvt Ltd

Head Office


Branch Office



More information


Head Office


Branch Office



Guide for Migrating toSHA-2 Certificates

WH

ITE PA

PER

powered by Symantec

White Paper

Guide for Migrating to SHA-2 CertificatesCryptographic algorithm migration checklist 9 actions for server managers

White Paper Guide for Migrating to SHA-2 Certificates

2

CONTENTS

Chapter 1 Summary 3

Chapter 2 Why is migration to SHA-2 certificates required 4

CryptographicalgorithmusedinSSLTLScommunication 4

Isthesecurityofcryptographicalgorithmsdeteriorating 5

Whatifalgorithmsecuritydeteriorates 6

Definingtestingandimplementingcountermeasures 7

Troubleshootingwhymighttestingfail 8

Chapter2Summary 10

Chapter 3 Checklist 9 actions for server managers 11

SSLcertificatechecklist 11

Serverconfigurationchecklist 12

Clientenvironmentsfactorstoconsider 14

Chapter 4 What is the deadline for making these changes 16

Requiredactions 17

Chapter 5 When will the next cryptographic algorithm migration take place 18

Chapter 6 Conclusion 18


3

Chapter 1 Summary

By2013almostallservermanagershaddealtwith

theY2010issueregardingcryptographicalgorithms

Howeveranewchallengehasnowemergedhowto

migratetotheSHA-2certificate

WhileSHA-2andY2010aresimilarintermsofthe

issuestheypresenttheydifferintermsofplatform

supportServermanagersmustplanwellbeforemaking

thetransitionandlearnfromsomeoftheexperiences

encounteredwithY2010toensuresuccess

Symantechascreatedausefulchecklistforserver

managersmigratingtoSHA-2certificates

Table 1 Checklist 9 items for server managers

No Item to check Category Check

1 Understand the key lengths of intermediate and root certificates and hash functions SSL server certificate

2 Generate a CSR Server settings

3 Set up intermediate certificates of cross root hierarchy Server settings

4 Confirm that Cipher Suite is available on the server Server settings

5(For inter-server communication environment) Take care to double-check required root certificates

Server settings (Or the client environment)

6 (For PC browsers) Check compatibility of Windows XP and Windows Vista or later Client environment

7 Review the cover ratio of phones and smartphones Client environment

8 Understand the characteristics of cell phone applications (Java BREW etc) Client environment

9(For household appliances and embedded devices) Understand the communication function and the root certificate of each device

Client environment

Chapter2ofthiswhitepaperdescribesthereasonsfor

migratingtoSHA-2certificateandsummarisesthemain

pointsforasmoothtransition

Chapter3offersguidanceonhowtoreviewand

implementchangesbasedonthechecklist

Chapters4and5describesomeprecautionsforthe

future


4

Chapter 2 Why is migration to SHA-2 Certificate required

Cryptographic algorithm used in SSLTLS communication

CryptographicalgorithmisresponsibleforsafeSSLTLS

communicationTheprotocolencryptsinformationand

distributesitsecurelyovertheinternetButascomputer

technologyadvancesanddecryptiontechniquesgrow

moresophisticatedtheeffectivenessofcryptographic

algorithmsgraduallydeterioratesDelayingitsmigration

isthereforelikelytocauseproblemslaterwhichcould

compromisetheconfidentialityofwebsitesandpersonal

information

Figure1CommunicationbetweenabrowserandawebserveruponinitiatinganSSLTLSsession

1Symantecsrootcertificatesarepre-installedonmanyclientdevicesincludingPCbrowsersandmobiledevicesascertificatesissuedbyareliableCAEndusersdonotneedtoinstallrootcertificatestoclientdevices

Root certificate

Symantecserver ID

1) Request for encryption

2) Send a server certificate

3) Create a common key

4) Initiate encrypted data transfer

Common key40bit～ 256bit


Verified

Clients browser Web serverhttpswww

The web server sends the SSL certificates (and the intermediate certificates) to the client to have them verified

The browser uses its root certificate1 to verify that the received certificate has been issued by a reliable CA

SSLTLScommunicationusuallytakesplacebetween

abrowserandawebserverToenablethisSSL

certificatesmustbeinstalledonthewebserveranda

rootcertificateattachedtothebrowser

WhenabrowseraccessesawebserverwithaURL

startingwithhttpsaSSLcertificateisdownloaded

fromthatwebserveratthesametimeTheclient

verifiesthecertificatersquoselectronicsignatureusingthe

browser-embeddedrootcertificatestoensureithas

beenissuedbyalegitimatecertificationauthority(CA)

Thealgorithm-calledhashfunctions-isusedforthis

Oncecompletedauniquesessionkeyisgenerated

allowingbi-directionalcommunicationbetweenthe

browserandwebserverThekeyiscalledalsquocommon

keyrsquoandtheruleiscalledalsquocommonkeycryptosystemrsquo

Apublickey(includedintheSSLcertificate)anda

privatekey(managedonthewebserver)sharethe

commonkeyPublicandprivatekeysarealways

generatedasapairDataencryptedwithapublickey

canonlybedecryptedwiththeprivatekey

IfyoursquovealreadyinstalledanSSLcertificateonaweb

serveryoumightalreadybefamiliarwiththeprocess

ofgeneratingpublicandprivatekeysInessencethe

CSRsubmittedtoaCAincludesapublickeyandon

submissionaprivatekeywillbegeneratedontheserver

Hashfunctionsandpublicandcommonkey

cryptosystemsarecollectivelycalledlsquocryptographic

algorithmsrsquo


5

Is the security of cryptographic algorithms deteriorating

Cryptographicalgorithmsaretestedandevaluatedby

avarietyofinstitutionsTheUSNationalInstituteof

StandardsandTechnology(NIST)usesacommonscale

tomeasuresomeofthemTheseareshowninTable2

ThepublickeycryptosystemofRSA1024bit-which

migratedaspartofthesolutiontoY2010-andthehash

functionSHA-1areevaluatedashavingasecuritylevel

of80bitThismeansthecalculationrequiredtodecrypt

acryptographicalgorithminthisgrouphasthesecurity

strengthequivalenttothe80thpowerof2

CRYPTREC(CryptographyResearchandEvaluation

Committeesaprojecttoresearchandevaluate

cryptographictechnologies)hasannouncedthatSHA-1

shouldnolongerberecommendedbecauseitnow

carriesahigherriskofbeingdecryptedCRYPTREC

advisesthatitshouldnotbeusedforanythingother

thanmaintainingcompatibility1

AttheCRYPTO2010conferenceapaperdocumentinga

pre-imageattackagainstSHA-1withfewercalculations

todecryptwaspresented2Thisdemonstratedhow

cryptographicalgorithmsdepreciateascomputing

capabilityadvancesandnewattacktechniquesare

developed

AssuchwearenowfacingarealisticthreatItisfeared

thatSHA-1mightbedecryptedwithinafewyearsby

hackerswithsufficientfundingandknowledge

HowevertheSHA-2hashalgorithmwithasecurity

equivalenceof112bit(SHA-224SHA-256SHA-384

SHA-512hereinaftercollectivelycalledSHA-2)is

listedbyCRYPTRECasarecommendedcryptographic

algorithmforgovernmentSHA-2ispredictedtobeused

widelyinthefutureasitscryptographictechnologyhas

provensecurityandcompatibilitywithexistingsystems

InrealitycompleteY2010compliancecanonly

beachievedwhenSHA-1isterminatedandSHA-2

isadoptedWiththismindmigrationtoSHA-2is

stronglyrecommendedasageneralinternetsecurity

requirement

ForexamplebothNISTandPCIDSS(Payment

CardIndustryDataSecurityStandards)advisedUS

governmentalsystemstoterminateSHA-1bytheend

of2013

ButitwastheannouncementmadebyMicrosoft3

thathashadthegreatestimpactontheprivatesector

MicrosoftrecommendedmigrationtoSHA-2regarding

SSLcertificationforWindowsOSandannouncedaplan

toterminateSHA-1bytheendof2016

Table 2 Equivalent security of each type of cryptographic algorithm (Excerpt from 56 Guidance for Cryptographic Algorithm and key length Selection in NIST SP 800-57ldquoRecommendation for Key Managementrdquo)

Equivalent security(Bits of Security)

Public key cryptosystemand the key length (in case of RSA)

Hash functionCommon key cryptosystem and the key length

80bit 1024bit or larger

SHA-11

SHA-224 SHA-256

SHA-384 SHA-512

2TDEA (2 key Triple DES)


AES 128 bit or larger

112bit 2048bit or largerSHA-224 SHA-256

SHA-384 SHA-512




SHA-512AES 128 bit or larger

192bit 7680bit or larger SHA-384 SHA-512 AES 192 bit or larger

256bit 15360bit or larger SHA-512 AES 256 bit or larger

Low

Secu

rity

Hig

h


6

What if algorithm security deteriorates

Whatwouldhappenifalgorithmsecuritydecreased

regardlessofmigrationThetablebelowshowsthe

purposeofeachalgorithmIfcryptographicalgorithm

securitydepreciatesandanattackhasoccurredthen

thesepurposescannotbefulfilled-andsecurityriskswill

beexposed

AccordingtoMicrosoftSHA-1willbeterminatedfor

WindowsOSbytheendof2016Afterthatanerror

messagewillbeshownonInternetExplorerandother

browsersforSSLcertificatesthatuseSHA-1

Whatcanservermanagersdotopreventtheserisks

AsTable3showstheultimatepreventionstrategyisto

enhancethesecurityoftheirwebserviceenvironment

byterminatinguseofSHA-1andotheralgorithmswith

compromisedsecurity

Howeverarealloperationalserversandbrowsersready

tomanageSHA-2Thoroughcompatibilitytestmustbe

conductedbeforetrying

ThenextpagedescribeswhereandhowtoconductSHA-

2-readytestsandimplementmeasuresforwebservices

orcorporatesystems

Table 3 Types and purposes of cryptographic algorithms

Type of cryptographic algorithm

Purpose in SSLTLS communicationExample of algorithm considered safe at present

Public-keyencryption

TheprivatekeyisstoredonthewebserverThepublickeythe

companiontotheprivatekeyispublishedinthecertificateThis

algorithmisusedtosafelysharethecommonkeyortoidentifythe

managerofthewebserver

WebserversandbrowserswhichperformSSLTLScommunication

mustbecapableofhandlingeachalgorithm(keylength)properly

RSA2048bitECDSA(NISTP-256etc)

Hashfunction

WorkstodetecttamperingwithdatabyathirdpartyThisalgorithmis

usedbyCAtoattachadigitalsignaturewhenissuingSSLcertificates

orbybrowserstoverifythesignatureonthecertificate


mustbecapableofhandlingeachalgorithmproperly

SHA-2

(SHA-224SHA-256etc)

Common-keyencryption

Generateduponeachsessionofcommunicationbetweenaserverand

abrowserandusedtoencryptdecryptthetransmitteddata



AES128bitetc

Table 4 Risks of depreciated cryptographic algorithm


Risk caused by depreciated security Means to cause security depreciation


TheprivatekeymaybecalculatedwiththepublickeyThisenablesthe

attackertoimpersonateanorganizationoranindividualwhoownsa

legitimatecertificateortotapdatabyillicitdecryption

-Generalnumberfieldsieve

Hashfunction

Differentdatawiththesamehashvaluemaybecreated

Theattackercancreateafraudulentcertificateanddisguiseitasa

certificateissuedbylegitimateCAwhichenablesimpersonatingan

organizationoranindividualwhoownsalegitimatecertificate

-Collisionattack

-Pre-imageattack

-Chosen-prefixattack

Common-keyencryptionEncrypteddatamaybeillicitlydecryptedThisenablestappingthe

originaldata(plaintext)

-Brute-forceattack

-Ciphertextmatchingattack


7

Defining testing and implementing countermeasures

Corporatewebsiteservermanagersmustreviewthe

clientenvironmentthatcommunicateswiththeir

websiteaswellastheserverenvironmentitselfFor

exampleECsite-managingorganisationsmustruntests

withawidevarietyofmobilephonemodelsandweb

browserstocheckoperationsincludingpaymentsLarge

organisationswithinter-servercommunicationsystems

mustreviewawiderangeoftestscenariosrepeatedly

evenforminorconfigurations

Table5liststhetestsrequiredforvariousenvironments

whenswitchinghashalgorithmsinstalledontheSSL

certificatefromSHA-1toSHA-2

Table 5 How to run the tests when switching hash algorithms for SSL certificate from SHA-1 to SHA-2

Website Embedded communication device Inter-server communication system

Imagehttps https https

Environment

component

-Webserver

-PCbrowser

Cellphone(incaseofwebsitesofcell

phones)

-Webserver

-Communicationdevice(household

appliancesvideo-gameconsoleoffice

automationequipmentetc)

-Interactiveserverenvironment

Server

preparationfor

tests

InstallanSSLcertificatewithSHA-2

signatureonthewebserver




signatureonallserverenvironmentwhich

performstransactionprocess

Itemstotest

regarding

SSLTLS

communication

Whetherthewebsitecanbeproperly

accessedwithhttpsfromallthe

possibleclientenvironmentsincluding

PCbrowsersandcellphones

Whetherthewebservercanbeproperly

accessedfromcommunicationdevices

usedforthewebservice

Whetherthehttpscommunication

isproperlyconductedamongallthe

interactingservers

Possible

reasonsthat

mayproduce

badresults

-Thecellphoneisnotembeddedwitha

requiredrootcertificate

-Thecellphoneisincompatiblewith

SHA-2

-Configurationmistakessuchas

intermediatecertificatenotbeing

installedonthewebserver

-Thecommunicationdeviceisnot

embeddedwithrequiredrootcertificates

-Thecommunicationdeviceisunableto

handleSHA-2

-Inadequatedesignorcodingofthe

communicationdevice

-Theserverisnotembeddedwith

requiredrootcertificates



installedontheserver


serverapplication


8

Troubleshooting why might testing fail

Itispossiblethattestresultscanbepoorinany

environmentBelowarealistofSSLTLScommunication

componentspossiblereasonsforfailureandhowyou

canaddressthem

1 SSL certificate

MostbadresultscausedbyanSSLcertificatefallinto

thefollowingcategories

Category 1 The servers or browsers are incompatible with the cryptographic algorithm used on the certificate

Ifyouupgradethecryptographicalgorithmforthe

SSLcertificatewithouttheserverorthebrowserbeing

managedproperlyyourservicesmaysuddenlynot

befullyavailableThereforecertificate-issuingCAs

mustpaycloseattentiontotransferthecryptographic

algorithmscorrectly

Howeverusinganinsecurecryptographicalgorithm

simplytoensurecompatibilitywitholdbrowsersmight

leadtoabreach

Servermanagersmustdecidewhichcertificateandweb

serverbrowserstouseforthebestserviceperformance

andsecurity

Category 2 The required root certificate does not exist on the client side

IftherootcertificateissuedbytheCA(whichisalso

theissueroftheSSLcertificate)doesnotexistonthe

clientsidetheserverscertificatewillbeconsidered

illicitAlthoughthismayalsobeduetoinadequate

implementationofclientbrowsersordevicesin

mostcasesitiscausedbytheabsenceofanewroot

certificate

Category 3 Categories 1 and 2 have not occurred - but bad results are still happening

Thiscouldbeduetotheabsenceofrequireddataor

inadequateconfiguration(suchasincorrectinstallation

ofSSLorintermediatecertificates)

2 Web servers (for general websites)

Mostwebservershavehigh-endCPUswithhigh

processingcapacityandfrequentupdatesThismeans

thattheyaremorelikelytobeequippedwithmore

securecryptographicalgorithms

ResearchconductedbySymantecinregardtohash

algorithms4showsthatthelatestversionsofweb

serversarebeingequippedwithSHA-2-compatibleSSL

certificatesRegardingthecommonkeycryptosystem

moresecurealgorithmssuchasAES-128bitare

availableonmostwebserversHoweversomeofthem

arestillaccessiblewithDESorRC4whichisconsidered

tobelesssecure5

Bemindfulofthefactthatdependingontheencryption

requestforbrowserstheselesssecurealgorithmsmay

beabletoestablishSSLTLSsessions-puttingsystems

atriskTopreventthisservermanagersneedto

prioritiseciphersuites(acombinationofcryptographic

algorithmsdefinedbytheirSSLTLSprotocol)to

communicatemoresecurelywithbrowsersanddecide

whichciphersuitesarepermittedtodoso

Chapter3exploresthisinmoredetail

3 Web servers (for inter-server communication)

Theprocedurehereissimilartothatforgeneralweb

serversInthecaseofinter-servercommunication

whereoneoftheserversisaclientfortheotherserver

payattentiontowhethertherootcertificateoftheother

serverisavailabletobothtoverifytheSSLcertificate

Asinthecaseofbrowserssomeserverapplications

comewithcertainrootcertificatesincludedCheckthe

specificationandconfigurationIfnorootcertificateis

installedobtainonefromaCA6

Theinter-communicationenvironmentmaybepartofa

largecorporatesystemthedevelopmentormanagement

ofwhichisoftenoutsourcedInthiscaseacertain

amountofbudgetmayneedtobesetasidetoreview

thecryptographicalgorithm

4 Browsers (PC)

PCbrowsers(includingWindowsInternetExplorerreg

MozillaFireFoxetc)typicallyhavehighperformance

andareupdatedfrequentlyTheyaremorelikelytobe

equippedwithnewcryptographicalgorithms


9

Manybrowsersareequippedwithfunctionswhich

enablepost-releaseupdatesincludingonline

distributionofpatchprogramstobecompletedifthere

isanydeficiencyinembeddedmodulessuchasroot

certificatesHoweveraswithMicrosoftsupportfor

priorversionsisusuallyterminatedquicklyandnopatch

programsaredistributedwhenmajorupgradestake

place

Itisimportantforservermanagerstoencourageend

userstomovetonewbrowsersOldversionsarenot

capableofsupportingstrongercryptographicalgorithms

andareinsufficientlysecure

5 Mobile phones (Feature phones)

In2009SHA-2capablemobilephonesbegantoappear

Sincethenalthoughmorecapablemodelshavebeen

releasedcurrentcoverageisinsufficientforgeneral

use7Additionalupdateplansforexistingmodelshave

notbeenannouncedeither(asatJuly2014)

Thereforeoldmobilephonemodelscannotcurrently

accesswebsiteswithSHA-2compatiblecertificates

installed

6 Smartphones

Smartphonesarerelativelyadvancedintermsof

handlingnewcryptographicalgorithmsAlmost

allstandardbrowsersonsmartphonesareSHA-2

compatibleRefertoourwebsite8forcompatibilitiesIf

theaccesstestproducesanydifferenceinresultsyour

webservermightnotbeconfiguredproperly

7 Embedded devices

Anincreasingnumberofembeddeddevices-suchas

householdappliancesvideo-gameconsolesandoffice

automationequipment-havesophisticatedCPUswith

functionsincludingInternetaccessCurrentcompatibility

ofthesedevicestoSHA-2orothersafercryptographic

algorithmsappearstobeaspoorasorworsethanthat

ofmobilephonesintermsofmemorycapacityand

otherrestrictions

Similarlythesedevicesareequippedwithalimited

numberofrootcertificatesastheyonlyaccesscertain

webserversForexampleSSLTLScommunication

failuremayoccurwhentheSSLcertificateonaserveris

switchedtoaSHA-2compatiblecertificateInaddition

sincetheseembeddeddeviceshavealongerproductlife

cyclethanwebbrowserstheyarenoteasilyreplaced

evenifdefectsarereported

Thereforeservermanagersoperatingwebservices

intendedfortheseclientenvironmentsarerequiredto

promotecertificatereplacementonserversanddevices

incollaborationwiththeserverdevelopers

8 Uniquely developed client server model by a systems integrator

Attherequestofacustomerasystemsintegratormay

developspecificclientsoftwarewithabrowsingfunction

Inthiscasetheserverlifecycletendstobelongand

incompatiblewithnewcryptographicalgorithmsasthe

softwareistailoredtothecustomersneeds

Alsomanysuchsoftwareproductsareequippedwith

rootcertificatesissuedbyCAsincludingSymantecThis

meansthesoftwareisaffectedbytheCAsalgorithm

migrationIfasystemsintegratorprovidessystems

orservicesusingSSLcryptographyservermanagers

shouldcheckthecompatibilitywithSHA-2firstplan

amigrationofthewholesystemandobtainenduser

consent

InconclusionTable6showstherelationshipbetween

SSLTLScommunicationscomponentsandcryptographic

algorithms

Informationonthecryptographiccompatibilityof

serversbrowsersandmobilephonesmayormaynot

bedisclosedItisadvisableforservermanagersto

understandthenatureoftheirorganisationsservice

andobtaincontactinformationofthevendors(providers)

asnecessary


10

Chapter 2 Summary

TomaintainsecurityinSSLTLScommunicationthe

strengthofcryptographicalgorithmsmustbeincreased

Forexampleadevicewithanexpectedlifecycleof

tenyearsshouldideallybedesignedtakingfuture

cryptographictrendsintoaccountforthenexttenyears

Howeverthisisnotalwayseasytoachievebecause

itisdifficulttobalancethelifecyclesofdevicesand

cryptographies

SuccessfulSHA-2migrationdependsonhowquickly

youcanassesstheenvironmentalcomponentsandthe

specificationsinvolved

Nextwewillgothroughachecklistforservermanagers

tounderstandpotentialissuesandovercomethem

Table 6 The usechoice of cryptographic algorithm by providers for each SSLTLS communication components

Components of SSLTLS communication

ProviderUsechoice of cryptographic algorithm

RemarksPublic-key encryption Common-key encryption Hash function

Certificate CA

Keylengthisspecified

byservermanager

uponCSRgeneration

(Rootandintermedi-

atecertificatesare

specifiedbyCA)

- (SpecifiedbyCA)

Webserver

(Generalwebsites)Servervendors SelectedbyservermanagerasCipherSuite

Webserver

(Inter-servercom-

munication)

Systemdeveloper

(SIeretc)

SelectedbyservermanagerasCipherSuite

Makesurerootcertificatesareinstalledoneachserver

PCbrowserBrowsersoftware

developer

Capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite

Confirmationrequired

asSHA-256inonly

availabletoWindows

XPSP3orlateretc CAsusuallydisclosethe

informationoncompatible

clientenvironments8

CellphoneCellphonecarrieror

devicemanufacturer

Manymodelsare

capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite

Confirmationre-

quiredasSHA-256

inonlyavailableto

modelsreleasedafter

2009etc

Communication

deviceDevicemanufacturer Confirmationwithdeveloperisrequiredascompatiblecryptograph-

icalgorithmsorinstalledrootcertificateslargelyvarydependingon

thedevicesystemUniquelydeveloped

clientserversystem

Systemdeveloper

(SIer)


11

How-andbywhom-shouldSHA-2migrationbe

performedAndwhatcanservermanagersdo

Arebrowsersormobilephonesaffectedbyserver

configuration

Afterreviewingrelevantfactorsinyourdifferent

environmentstakeactionstotesteachenvironment

andaddressproblemsActionsthatcanbetaken

immediatelyareshowninTable1Chapter1

SSL certificate checklist

Item 1 Get a picture of the key lengths of intermediate and root certificates and hash

functions

AsshowninFigure2manySymantecSSLcertificates

includefourlayersSSLcertificatesforwebservers

workinpairs(alsodescribedaschained)witheachof

theintermediatecrossandrootcertificatestoproperly

verifybrowsersignatures

Figure 2 Layered structure (four layers) of general certificate

Server ID - SHA-1SHA-2

1 VeriSign Class 3 Secure Server CA - G3

2 2048bitRSA 3 SHA1withRSA

1 (End -Entity) 2 2048bitRSA 3 SHA1withRSA

1 VeriSign Class 3 Public Primary Certification Authority ndash G5


1 Class 3 Public Primary Certification Authority




Root certificate

Intermediate CA certificate (for cross root configuration)

Intermediate CA certificate

End-entity certificate

1 Symantec Class 3 Secure Server CA - G4









Algorithm for signature RSA SHA-1(as of June 2014)

Algorithm for signature RSA SHA-2

Note A new dedicated intermediate CA certificate must be installedNote that previously obtained intermediate CA certificates are not available

Installed on browser

Installed on web server

Legend1 Name of the certificate subject2 Public key cryptosystem and the key length3 Digital signature

SHA 256 with RSA is employed for the signature on the intermediate and end-entity certificates

Chapter 3 Checklist 9 actions for server managers


12

Servermanagersmustbeawareofthekeylengthand

hashfunctionofthecertificateoneachlayeroftheSSL

certificateusedontheirwebsites

ForexampleCAwillissueanend-entitycertificate

whichisincludedintheSSLcertificatewiththehash

algorithmswitchedtoSHA-2Howeverthisisnot

enoughtocompletethemigrationofhashalgorithms

toSHA-2Thehashalgorithmfortheintermediate

certificatewhichcoupleswiththisSSLcertificatemust

alsobeswitchedtoSHA-2

GenerallyspeakingwhenrenewingtheSSLcertificate

thelatestversionoftheintermediatecertificatespecified

byCAmustbeinstalledSSLcommunicationmaybe

interferediftheintermediatecertificateisnotreplaced

whenswitchingcryptographicalgorithms

CAsincludingSymantecareresponsibleforconstantly

examiningandreinforcingthecryptographicalgorithm

usedforintermediateandrootcertificatesaswellas

end-entitycertificatesServermanagersmuststay

updatedwithinformationprovidedbyCAs

Table 7 Cryptographic algorithms used for Symantec SSL intermediate cross and root certificates

Symantec SSL certificate Intermediate certificate Cross and root certificates

Public key length Hash function Public key length Hash function Public key length Hash function

RSA2048bit SHA-1 or 2 RSA2048bit SHA-1 or 2 RSA2048bit SHA-1

1 RSA 1024 bit root certificate is also used as cross-root method is employedDetails on cross-root method will be described later

Server configuration checklist

Item 2 Review how to generate a CSR

ThehashalgorithmoftheSSLcertificateshould

bespecifieduponapplicationnotwhentheCSRis

generatedIfyoumistakenlychooseSHA-1forthe

hashalgorithmuponapplyingthecertificatewillbe

issuedwithSHA-1Youneedtoinstalltheintermediate

andcrosscertificateswhichproperlychainwiththe

SSLcertificatethathastheapplieddeterminedhash

algorithm

WhenapplyingforanSSLcertificateakeylengthof

2048bitorlargermustbeselectedortheapplication

willbedeniedWerecommendyoudouble-checkthe

webserverapplicationmanualorconsultthevendor

toseehowtospecifythekeylength

SymantecoffersafreeSSLcertificatefor30daysto

giveyoutimetoreviewthis

httpstrustcenterwebsecuritysymanteccom

processretailtrial_initialapplication_locale=VRSN_

AUamptid=symc_vrsn_ssl_try

Item 3 Review how to set up the intermediate certificates for cross root hierarchy

ThecrossrootmethodisusedforSymantecSSL

certificatesSSLcertificates(end-entity)andtwomore

typesofintermediatecertificate(forthetwolayers

betweentherootcertificateandtheend-entity)mustbe

installedonthewebserverThisisnotnecessaryifitis

installedfromafileinPKCS7formats

Payattentiontotheorderwheninstallingthreetypesof

certificateRefertoFigure2


13

Figure2showsthelayeredstructureofSymantec

SecureSitewithEVSSLCertificates(SHA-1SHA-2)This

certificateisissuedusingthecross-roothierarchyThis

enablessignatureverificationusingtwoseparateroot

certificatescommonlycalledG5rootandG1root

Installthefollowingthreecertificatesonthewebserver

(a)end-entitycertificate

(b)intermediatecertificate

(c)intermediatecertificateforcross-root

Relativelynewbrowsers(InternetExplorer7orlater)are

alreadyequippedwithG5rootSotheirsignaturewill

beverifiedonthethreelayerswhichhaveG3rootas

theirtrustanchorInthiscaseG1rootwhichisverified

via(c)willnotbechained

FormobilephonesnotequippedwithG5roottheir

signaturewillbeverifiedintheorderof(a)(b)and(c)

andfinallythroughallfourlayerswithG1root

Verificationfailurehasbeenreportedbyclients-

especiallyformobilephoneswhichgothroughthechain

infourlayers-foravarietyofreasonsTheseinclude

theabsenceofanintermediatecertificateforcross-root

(c)orthethreecertificates(a)(b)and(c)occurringin

thewrongorder

Symantecperformsoperationaccesschecksfor

browsersandmobilephonesusingthecross-root

hierarchyInsomecasesbrowsersmayaccessproperly

withoutinstallingintermediatecertificatesforcross-

rootHoweverwerecommendyoucheckthewebserver

applicationmanualorconsultyourvendortodiscuss

howtoinstallwebservercertificatesThiswillprevent

accesstestcategoriesfrombecomingcomplicated

Item 4 Review Cipher Suite availability on the server

CommonkeycryptographyhasnotyetbeendiscussedThis

isbecauseitisdeterminedbycommunicationbetweenthe

browserandwebserverThisistherequestforencryption

indicatedas(1)inthehandshakeprocessdescribedin

Figure1Alsospecificationsforpublickeycryptography

andhashfunctionsaredeterminedbyCAsincluding

Symantec

NISThaspublishedadocumentwithselectioncriteria

forciphersuitesThisoffersusefulguidelinesforserver

managersalongwithotherinformationrelatingtothe

strengthofcryptographicalgorithms

Table9belowshowsthepriorityofCipherSuite

recommendedbyNISTwhenusingRSAcertificatesin

TLS12RecommendedCipherSuitesforECDSA(akey

exchangesystemusingECC)andDSA(DigitalSignature

AlgorithmusedmainlyinUSgovernmentalsystems)are

alsolisted

UnfortunatelyCipherSuiteinstallationmanualsfor

servermanagershavenotbeenproperlyproducedyet

Currentlymanyservermanagersusethedefaultsetof

CipherSuiteswhenintroducingwebserverstostartSSL

servicesHoweverideallyitwouldbebetterforthem

torefertoavailabledocuments-suchasTable9-and

activelypromotecryptographicalgorithmsecurityincluding

common-keycryptography

SimilarlydomesticserverapplicationvendorsandCAsmust

developanddiffusemanualsandlistsforthispurpose3

(Reference)WebsiteslistingCipherSuiteareavailableon

OpenSSL

httpwwwopensslorgdocsappsciphershtml

Table 9 List of TLS 12 Cipher Suites for TLS 10 recommended by NIST(excerpt from 331 Cipher Suites of Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations NIST SP 800-52 Revision 1)

CipherSuiteName KeyExchange EncryptionHashFunctionforHMAC

HashFunctionforPRF

TLS_RSA_WITH_AES_128_GCM_SHA256 RSA AES_128_GCM NA SHA-256


TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDHE AES_128_CBC NA SHA-256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDHE AES_128_GCM NA SHA-256

TLS_RSA_WITH_AES_128_CBC_SHA256 RSA AES_128_CBC SHA-256 SHA-256


TLS_RSA_WITH_AES_128_CCM16 RSA AES_128_CCM NA SHA-256

TLS_RSA_WITH_AES_256_CCM RSA AES_256_CCM NA SHA-256


14

Item 5 (For inter-server communication environment) Be cautious Double check required root certificates

Nextwediscussinter-servercommunicationusingSSL

TLSThisincludesinstancessuchasextranetuseamong

groupsorder-takingsystems

Confirmthattherequiredrootcertificateisinstalledon

eachserveraswellasthepreviouslydiscusseditems

Therootcertificateusedforsignatureverificationmust

beinstalledIninter-servercommunicationeachserver

applicationactsasaclientandverifiesthesignatureon

theSSLcertificateoftheotherserversapplication

GenerallyrootcertificatesareissuedbymajorCAs

includingSymantecandarepre-installedonapplication

platformswithinthedevelopmentenvironmentAn

SHA-1rootcertificateorso-calledG5G1willbeused

onanongoingbasisaspreviouslydiscussedTherefore

therootcertificatedoesnotneedtobereplaced

Howeverwerecommendyoucheckifanadditionalroot

certificateisrequiredorfindouthowtoaddone

Forexamplewheretheservercommunicationsystem

iscomposedofJ2EE(anenterpriseapplication

environmentcomposedofJava)whenanapplication

actsasaclientandperformsSSLTLScommunication

withtheotherapplicationrootcertificatesare

aggregatedinafilecalledcacertswhichisincludedin

thedevelopmentenvironmentThesecertificatescanbe

addedordeletedusingatoolcalledkeytool

(Reference)Keytool-managementtoolforkeysand

certificatesSunMicrosystems

httpdocsoraclecomjavase7docstechnotestools

solariskeytoolhtml

Client environments factors to consider

Item 6 (For PC browsers) Compatibility improvements

Howwell-preparedarePCbrowsersandmobilephones

forSHA-2

Table10brieflysummarisestwoviewpointsregarding

PCbrowsers

Table10CompatibilityofbrowsersonWindows

WindowsVista Windows78

IE7 IE8 IE8orlater

Compatibilitytohash

algorithmSHA-2 l l l

lPerfectlycompatible

sNoprobleminsomeenvironmenthowevernotyetadequate

WindowsXPSP3orlaterispartiallycompatiblewithSHA-256

RegardingtheSHA-2functioncompatibilityforthe

platformslistedinTable10itcanbesaidthatthis

compatibilityhasimprovedgreatlysince2010Thishas

beenhelpedbythepopularityofnewOSsincluding

Windows7andtheOSmigrationcausedbythe

terminationofsupportforWindowsXP

Penetrationlevelsofcryptographicalgorithmsandroot

certificatesinclientplatformshavegreatlyinfluenced

whenandhowCAschangethespecificationoftheir

SSLcertificatesForexampleMicrosoftsetsaSHA-2

migrationscheduleinitsrootcertificateprogramasa

requirementforCAs3

Servermanagersarerequiredtopromotethemigration

tonewOSandbrowserswhicharecompatible

withsafercryptographicalgorithmsaspartofthe

requirementtomaintainandsecurethesafetyofSSL

TLScommunicationalongwithCAsandOSbrowser

providers


15

Item 7 (For feature phones and smartphones) Review the cover ratio

AsdescribedinChapter2duetomemorycapacity

limitationsfeaturephonesarelesscompatible

withcryptographicalgorithmsincomparisontoPC

browsersSomemodelsareequippedwithfull-browser

functionalityhowevertheymayonlybeabletohandle

alimitedrangeofcryptographicalgorithms

Converselysmartphoneshavefewerlimitationson

memorycapacityTheircapabilitiesareclosertothose

ofPCbrowsers

Table11summarisesthealgorithmcompatibilityand

installationstatusofrootcertificatesformobilephones

Table11Compatibilityoffeaturephonesandsmartphones

2G

cellphone

3G

cellphoneSmartphone

Compatibilityto

hashalgorithm

SHA-2times s7 l


sNoprobleminsomeenvironmenthowevernotyetadequateinmany

environment

ServermanagersmustpayattentionwhenCAsclaim

amobilephonecoverageofNNOftenthisis

actuallyaninflatedfigureandincludescaveatssuchas

excludingmodelsseriesreleasedin200Xorearlieror

thecalculationisbasedonaccesstocertainsites

(ienotbasedontheyearofreleaseormodelsseries)

Althoughfiguresbasedonaparticularmodelorseries

canactasabarometerforcompatibilityitfluctuates

continuouslyIdeallycorporateservermanagersshould

keeptrackofaccuratecoverageratesforeachphone

modelaswellascomparingfiguresandcommunicating

accurateinformationtoendusers

Item 8 (For feature phones) Understand the characteristics of mobile phone apps (Java BREW etc)

SomemobilephoneservicesconductSSLTLS

communicationviadedicatedapplicationswhichrunon

themobilephoneitselfratherthanwebbrowsersJava

J2MEandBREWaremajorapplicationplatforms

Inmostoftheseclientenvironmentscommunicationis

notconductedbyusersbyarbitrarilyspecifyingURLs

towebsitesbutinsteadinthebackgroundwithspecific

websitesThereforeservermanagersoperatingwebsites

orserviceswhichcommunicatethroughdedicated

applicationsmustcheckthealgorithmcompatibilitiesof

theapplicationplatformsontheclientside

Item 9 (For household appliances and embedded devices) Understand the communication of each device

AsdiscussedinChapter2whenconnectingwithSSL

TLScommunicationfromplatformsembeddedin


automationequipmentservermanagersmustcheck

whichcryptographicalgorithmsthedevicescanhandle

selecttheappropriateSSLcertificateandinstallthem

Notethatduetothelonglifecyclesofthesedevices

itcantakealongtimeforalldevicesinthemarketto

bereplaced-eventhoughmanufacturerstrytoadd

cryptographicalgorithmsorrootcertificatesServer

managersmustensuretheyperformthefollowingtasks

inadditiontotheirregularduties

-Payattentiontolong-termtrendsforcryptographic

algorithms

-CollectinformationregardingCAslong-termplansfor

rootcertificatemigration

-Requestmanufacturerstoinstallnewalgorithmsand


Symantecprovidesusefulinformationforserver

managersandthemediaActingontheseupdates

increasesyourchancesofsuccessinmigration


16

Chapter 4 What is the deadline for making these changes

ThechecklistofnineitemspresentedinChapter3

focusedonactionswhichservermanagerscanand

shouldtakeimmediatelyBasedontheseactionsthis

chapterdescribeshowmigrationwilltakeplaceover

severalyearsfromnowItincludessomeassumptions

LookatFigure5InitsannouncementMicrosoft

requiresCAstoterminatetheissuingofSSLcertificates

(end-entitycertificates)andintermediatecertificates

usingSHA-1bytheendof2015andalsotodiscontinue

theuseofthesecertificatesInresponsemanyCAs

includingSymantechaveannouncedthesamepolicyin

ordertomigratetoSHA-2certificates

ToensureasmoothmigrationtoSHA-2Symantec

hasannouncedascheduleforsequentialtermination

ofSHA-1certificatesalongwithpromotionofSHA-2

certificates9

Figure 5 Example of migration timeline for corporate server managersThis timeline shows an example of general SSL certificate migration based on the market trend as of the creation date This does not indicate Symantecs migration plan

2010 2011 2012 2013 2014 2015 2016 2017

Maximum period of validity of certificates with RSA 1024 bit keys

Adjustmentdiffusion period of SHA-2 for general web servers and browsers

Adjustmentdiffusion period of SHA-2 for all applications and devices which conduct SSL communication

Issue renew and reissue of SHA-1 certificates

Maximum period of validity of SHA-1 certificates

New issuance of certificates with 2048 bit keys and the maximum period of validity

New issuance of certificates using SHA-2 and the maximum period of validity

Adjustment for SHA-2 testing period

Certificates (conventional specification)

Certificates (new specification)

Testingadjustment period

(Reference) Supporting period of SHA-1 on Microsoft Windows (as of today)

STOPSTOP

STOPSTOP


17

Required actions

Table11showstheactionsthatneedtobetaken

toenableSSLTLScommunicationbetweenclients

browsersandserversWebsitemanagersandbrowser

vendorsusingSHA-1mustcompletemigrationtoSHA-2

inapproximatelytwoyearsItisnottooearlytostart

budgetingandplanningforthemigrationincludingany

testing

Consider introducing Elliptic Curve Cryptography (ECC) to improve website response

EllipticCurveCryptography(ECC)isatechnologythat

improvessecurityusingasmallercryptographickey

lengthincomparisontoRSAapublickeycryptosystem

TheECCcertificatesSymanteclaunchedin2013meet

MicrosoftrequirementsforSHA-2employedwiththe

hashalgorithmTheyalsorealisetheencryptionstrength

with128-bitequivalentsafetyof128bit10

DirectorzCoLtdahostingserviceproviderconfirms

thatbyinstallingECCcertificateswhichsupportSHA-

2theloadonwebserverCPUisreducedby46while

responsetimeisimprovedby7

AsanoptionforpromotingthehashalgorithmtoSHA-

2despitethelowercoveragerateforbrowsersetc

comparedtoRSAitishelpfultobeawareoftheECC

certificate-asitcanimprovewebsiteperformance

Common key cryptosystem

Finallyforthecommonkeycryptosystemitmaybe

desirabletostartoffwithpolicysettingsforalgorithms

andCiphersuitesregardingSSLTLSsettingsforserver

operationsRefertodocumentssuchasNISTmentioned

inItem4

Servicestoevaluatewebsitevulnerabilitiesareavailable

andofferobjectiveevaluationandindicationsfor

improvement

Table 11 Actions to be taken for migration to SHA-2

SHA-2 installation Termination of SHA-1 use

Website manager

- Testing SHA-2 certificates

- Installing SHA-2 certificates sequentially (by

December 31 2016 at the latest)

- Installing SHA-2 certificates sequentially by

reissuing etc if the validity period of SHA-1

certificates expire after 2017

Manager of inter-system linkage using API

- Testing inter-system linkage of SHA-2

certificates

- Installing SHA-2 certificates and root

certificates (by December 31 2016 at the

latest)




Browser vendors

Embedded device vendors

- Accommodating SHA-2 algorithms

- Implementing SHA-2 root certificates to

browsers and embedded devices

- Taking actions toward SHA-1 certificates by

displaying warning message etc


18

Chapter 5 When will the next cryptographic algorithm migration take place

SHA-2migrationhastobeaddresseddirectlyButwill

thesemigrationshappenagaininthefuture

NISTpredictsthatsomeofthealgorithmsrecognised

assufficientlysafeafter2010-suchasRSA2048bit

andSHA-224-maybeunsafeafter2030Managersof

systemsthatwillbeusedinthelong-termshouldbe

mindfulthattheywillneedtodevelopandupgradeso

thatcryptographicalgorithmscanbeusedtomaintain

securityuntiloperationsarecompletedThisisshownin

Table12

Table12Minimumequivalentsecurityrequiredfororganisations(sourcesameasTable2)

Validationperiodofsystem

Minimumrequirementofequivalentsecurityfulfilledbycryptographicalgorithmtouse

Bytheendof2010 80bit


After2031 128bit

HashfunctionSHA-2isdesignedinasimilarwayto

SHA-1Thereforetheneedforanext-generationhash

algorithmisrecognisedNISTheldacompetitionto

scoutapotentialsubstituteforSHA-2andannounced

thatKeccackhadwonthisasSHA-3inOctober2012

NISTwillfinaliseitsspecificationaftermakingafew

finaladjustments11

AspreviouslydiscussedEllipticCurveCryptography

(ECC)isbelievedtobeeffectiveforpublickey

cryptosystems

Chapter 6 Conclusion

Undoubtedlythemigrationofcryptographicalgorithms

isamajorchallengerequiringasignificanteffortnot

onlyfromCAsbutalsofromserverbrowservendorsand

managersHoweverbyimplementingtheappropriate

measuresandensuringthecorrectchecksasmooth

migrationcanbeachievedfornowandthefuture

Asaleadingproviderofauthenticationservices

Symantecwillmakeeveryefforttoissuecertificatesand

supportyoufullyinyourmigration


19

For specific country offices and contact numbers please visit our website For product information in the Asia Pacific region callAustralia +61 3 9674 5500

New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992

Or email ssl_sales_ausymanteccom

ssl_sales_asiasymanteccom

No part of the contents of this white paper may be reproduced or transmitted in any form or by any means without the written permission of the publisher

Copyright copy 2015 Symantec Corporation All rights reserved Symantec the Symantec Logo the CheckmarkCircle Logo and the Norton Secured Logo are trademarks or registered trademarks of Symantec Corporation or itsaffiliates in the US and other countries Other names may be trademarks of their respective owners

SymantecSymantec Website Security Solutions Pty Ltd3437 St Kilda Road Melbourne3004 ABN 88 088 021 603wwwsymanteccomenaassl-certificates

NotesReference

1 CRYPTRECReport2012ReportoftheCryptographicOperationCommitteeJuly2013

httpwwwcryptrecgojpreportc12_sch_webpdf

2 NewPreimageAttacksAgainstReducedSHA-1

httpwwwiacrorgconferencescrypto2012slides6-3-Knellwolfpdf

3 MicrosoftRootCertificateProgram(asofJuly2014)

httpsocialtechnetmicrosoftcomwikicontentsarticles1760windows-root-certi_cate-program-

technicalrequirements-version-2-0aspx

4 HardwarewhichhasundergoneoperationverificationbySymantec

httpsknowledgeverisigncojpsupportssl-certi_cates-supportindexpage=contentampid=SO23044

5 ReportonSSLServerConfigurationSurveyIPA2012

httpwwwipagojp_les000014264pdf

7 Accesscoveragewasabout70asofJuly2014Fortestresultrefertothefollowing

httpsknowledgeverisigncojplibraryVERISIGNVSJresourcesclient-sha2eepdf

8 Accesscoverage999

httpsknowledgeverisigncomsupportssl-certificates-supportindexpage=contentampid=SO25586ampactp=search

ampviewlocale=en_USampsearchid=1418729322313

9 ScheduleofSymanteccertificatestosupportSHA-2

httpwwwsymanteccompagejspid=sha2-transition

10 SymantecECCcertificate

httpwwwsymanteccompagejspid=how-ssl-worksamptab=secTab4

11 NISTThird-RoundReportoftheSHA-3CryptographicHashAlgorithmCompetition(November2011)

httpnvlpubsnistgovnistpubsir2012NISTIR7896pdf

Disclaimer AllopinionsexpressedinthispaperarethoseofSymantecWhileusefultheydonotprovideaguaranteeofsuccessinmigration

Symantecisnotresponsibleforanylosscausedbytheapplicationofthisinformation

More Information


Head Office


Branch Office



SymantecTM CertificateIntelligence Center

OverviewFor todayrsquos enterprise SSL security is more critical ndash and more difficult tomanage ndash than ever before With network infrastructure that spans multiplegroups of servers organisational units and locations managing SSL certificatescan be a complex time-consuming process that burdens IT teams and puts a drain on resources

SSL certificates within the enterprise are frequently at odds with official policiesand procedures put in place to administer SSL security In some cases older SSLcertificates may conflict with new policies or customised exceptions are madeto meet unique business requirements In addition employees and business unitrepresentatives may lack the knowledge to abide by policies created by theircompanies All of these factors create variance across the enterprise complicating the overall management of SSL security

Regardless of the cause any uncertainty surrounding SSL certificate statusposes a risk that can have serious consequences The expiration of an unknowncertificate a missed renewal or update ndash or keeping an expired certificate on anasset ndash can create security vulnerabilities leaving enterprise networks exposedand potentially resulting in critical system downtime If a data breach occursthe costs of mitigating the damage can be expensive enterprises can face highersupport costs lower productivity and revenue and even damage to their hard-earned reputations

Quickly Take Control of Enterprise SSLAvailable exclusively to Symantectrade Managed PKI for SSL customers the Symantectrade Certificate Intelligence Center powered by Symantec helps provide a complete view of SSL security across the enterprise allowing administrators to take full control of all SSL certificates issued by any Certificate Authority By scanning and centralising data into one central repository Symantec Certificate Intelligence Center gives administrators the detailed intelligence they need to manage the enterprise SSL environment quickly and easily

Ideal for companies with more than 100 servers under management SymantecCertificate Intelligence Center also allows enterprises to automate discoverytasks and set up alerts to notify administrators when certificates expire or require maintenance With Symantec Certificate Intelligence Center automated and fullyconfigurable discovery scans cut the time taken to keep track of SSL certificate assets giving IT teams the time they need to focus on other mission-critical tasks

Symantectrade Certificate Intelligence CenterSimplify SSL Certificate Discovery and Management Across the Enterprise

Key Benefits

bull Gain Complete Visibility intoSSL EnvironmentFast certificate discovery scansprovide a complete inventoryof SSL certificates across theenterprise network

bull Maintain Business ContinuityPrevent unknown certificateexpirations and mitigateassociated risks throughconfigurable notifications andalerts

bull Minimise Management OverheadHybrid deployment modelleveraging a cloud-based serviceprovides seamless integration andthe latest features without loss ofdata collection capabilities

bull Utilise Rich ReportingCapabilitiesCreate a centralised inventory ofcertificates and sort by issuingCertificate Authority key lengthalgorithm organisation servertype and more

bull Eliminate the Need forCustom CodeManage your certificates withoutthe need for expensive customcode or lengthy PSO engagements

bull Scale to Meet the Demands ofAny NetworkScan thousands of servers spreadacross large networks quickly andeasily by leveraging a distributedarchitecture

Datasheet SSL Certificate Management

SSL Certificate Management

Hybrid Deployment Model Offers Maximum FlexibilitySymantec Certificate Intelligence Center utilises an advanced hybrid deploymentmodel to give enterprises complete integrated control over their SSL certificatesThis model features two main components the Console and the Sensor

Hosted and delivered from Symantecrsquos cloud infrastructure the Console containsconfiguration user management permissions and other information required touse the Symantec Certificate Intelligence Center Sensors are installed at strategic points on the enterprise network and perform actions based on instructions assigned by an administrator using the Console Together these tools provide a powerful yet simple way to audit and manage all of the SSL certificates across the enterprise

Features

bull Customisable SSL Certificate DiscoverySchedule and configure how scans are performed across different parts of thenetwork while taking advantage of sensors that can scale to thousandsof servers

bull Rich Intuitive User InterfaceA best-in-class dashboard featuring easy-to-use reporting capabilities givesusers immediate access to critical data

bull Analytical ToolsUse value-added tools that act on discovered data to provide informationsuch as OCSPCRL responses forecasting calculator implementation ratingand more

Symantec Certificate Intelligence Center

Symantec certificate intelligence centerSecure cloud PlatformAPPLICATIOn LOgICCOnFIgURATIOnDISCOveRy DATARePORTIngAUDIT LOgS

SenSor functionalityDISCOveRy SCAnS AUDIT LOgSSeCURITy MODULe

mu

tual

ly a

uthen

ticated communication

HTT

PS P

ORT 443SenSor Polling the clo

ud

EntErprisE nEtwork


bull In-Console Alerts and Email NotificationsInforms users of pending certificate expiration and other certificate lifecyclestatus to guarantee that administrators receive relevant and importantinformation on time

bull Delegation CapabilitiesAdministrators can easily delegate the deployment and management ofSymantec Certificate Intelligence Center and resulting data to the individualsthat are most appropriate to handle each task

bull Customisable User Management and Role-Based AccessManage and customise user roles or select from pre-determined rolesprovided by Symantec Certificate Intelligence Center

bull Audit Trailseasily track operations with in-Console logs that record actions taken byadministrators while Sensor-maintained audit logs record key events that aidin network troubleshooting




Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B

b-managed-pki-for-ssl-DS-en-us

Seperator C

Migrating_to_SHA-2_Whitepaper_EN

Chapter 1 Summary

Chapter 2 Why is migration to SHA-2 certificate required


Is the security of cryptographic algorithms gradually deteriorating

What if the security of algorithms depreciates

Lets define the scope of testing and implementing countermeasures

How does the test fail

Chapter 2 Summary

Chapter 3 Actions to take in line with the Checklist 9 items for server managers

Checklist regarding SSL certificate

Checklist regarding sever configuration

Things to understand regarding the client environments

Chapter 4 When should the measures be taken by

Required actions

Chapter 5 How long should we repeat migrations of cryptographic algorithms


Seperator D

Symantec_CIC_whitepaper

Enhancing Website Securitywith Algorithm Agility

ENH

AN

CIN

G W

EBS

ITE SEC

UR

ITY

WITH

ALG

OR

ITHM

AG

ILITY


White Paper



Contents

Introduction 3

Encryption Today 3






Next Steps 7

Conclusion 7


Introduction


























Encryption Today











the RSA algorithm




















and infrastructure










Public Keys

Key Size

Ratio

Protection

from


80 1024 1024 160-223 16 Until 2010

112 2048 2048 224-255 19 Until 2030

128 3072 3072 256-383 112 Beyond 2031

192 7680 7680 384-511 120

256 15360 15360 512+ 130






























transmitted message





















































considered





















coverage

Next Steps













Conclusion












More Information

Visit our website



Call toll-free 1(866) 893-6565 or 1(650) 426-5112



About Symantec







350 Ellis Street


1 (866) 893 6565

wwwsymanteccom




Branch Office









Features








Benefits











bull Wildcard SSL































wwwsymanteccom

UID 2260714



Head Office


Branch Office




Head Office


Branch Office



More information


Head Office


Branch Office




WH

ITE PA

PER

powered by Symantec

White Paper



2

CONTENTS

Chapter 1 Summary 3







Chapter2Summary 10






Requiredactions 17




3

Chapter 1 Summary
























Client environment







future


4











information



Root certificate

Symantecserver ID







Verified































algorithmsrsquo


5
























developed















requirement




of2013











SHA-11

SHA-224 SHA-256

SHA-384 SHA-512





SHA-384 SHA-512







Low

Secu

rity

Hig

h


6







beexposed









compromisedsecurity






orcorporatesystems












Hashfunction






SHA-2

(SHA-224SHA-256etc)






AES128bitetc









Hashfunction





-Collisionattack

-Pre-imageattack




-Brute-forceattack



7

















Environment

component

-Webserver

-PCbrowser


phones)

-Webserver





Server

preparationfor

tests








Itemstotest

regarding

SSLTLS

communication










interactingservers

Possible

reasonsthat

mayproduce

badresults




SHA-2







handleSHA-2


communicationdevice







serverapplication


8





canaddressthem

1 SSL certificate









algorithmscorrectly



leadtoabreach



andsecurity








certificate

















tobelesssecure5

























4 Browsers (PC)






9








place













installed

6 Smartphones







7 Embedded devices








otherrestrictions


























consent



algorithms






asnecessary


10

Chapter 2 Summary








cryptographies










Certificate CA


byservermanager

uponCSRgeneration

(Rootandintermedi-

atecertificatesare

specifiedbyCA)

- (SpecifiedbyCA)

Webserver


Webserver

(Inter-servercom-

munication)

Systemdeveloper

(SIeretc)




developer

Capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite


asSHA-256inonly

availabletoWindows



clientenvironments8


devicemanufacturer

Manymodelsare

capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite

Confirmationre-

quiredasSHA-256

inonlyavailableto

modelsreleasedafter

2009etc

Communication




clientserversystem

Systemdeveloper

(SIer)


11




configuration







functions

















Root certificate






















12



































algorithm





















13























thewrongorder
















Symantec










alsolisted












OpenSSL




HashFunctionforPRF










14






























solariskeytoolhtml




forSHA-2


PCbrowsers



IE7 IE8 IE8orlater

Compatibilitytohash
















requirementforCAs3






providers


15










ofPCbrowsers




2G

cellphone

3G

cellphoneSmartphone

Compatibilityto

hashalgorithm

SHA-2times s7 l



environment







































algorithms









16

















certificates9


2010 2011 2012 2013 2014 2015 2016 2017













STOPSTOP

STOPSTOP


17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D


ENH

AN

CIN

G W

EBS

ITE SEC

UR

ITY

WITH

ALG

OR

ITHM

AG

ILITY


White Paper



Contents

Introduction 3

Encryption Today 3






Next Steps 7

Conclusion 7


Introduction


























Encryption Today











the RSA algorithm




















and infrastructure










Public Keys

Key Size

Ratio

Protection

from


80 1024 1024 160-223 16 Until 2010

112 2048 2048 224-255 19 Until 2030

128 3072 3072 256-383 112 Beyond 2031

192 7680 7680 384-511 120

256 15360 15360 512+ 130






























transmitted message





















































considered





















coverage

Next Steps













Conclusion












More Information

Visit our website



Call toll-free 1(866) 893-6565 or 1(650) 426-5112



About Symantec







350 Ellis Street


1 (866) 893 6565

wwwsymanteccom




Branch Office









Features








Benefits











bull Wildcard SSL































wwwsymanteccom

UID 2260714



Head Office


Branch Office




Head Office


Branch Office



More information


Head Office


Branch Office




WH

ITE PA

PER

powered by Symantec

White Paper



2

CONTENTS

Chapter 1 Summary 3







Chapter2Summary 10






Requiredactions 17




3

Chapter 1 Summary
























Client environment







future


4











information



Root certificate

Symantecserver ID







Verified































algorithmsrsquo


5
























developed















requirement




of2013











SHA-11

SHA-224 SHA-256

SHA-384 SHA-512





SHA-384 SHA-512







Low

Secu

rity

Hig

h


6







beexposed









compromisedsecurity






orcorporatesystems












Hashfunction






SHA-2

(SHA-224SHA-256etc)






AES128bitetc









Hashfunction





-Collisionattack

-Pre-imageattack




-Brute-forceattack



7

















Environment

component

-Webserver

-PCbrowser


phones)

-Webserver





Server

preparationfor

tests








Itemstotest

regarding

SSLTLS

communication










interactingservers

Possible

reasonsthat

mayproduce

badresults




SHA-2







handleSHA-2


communicationdevice







serverapplication


8





canaddressthem

1 SSL certificate









algorithmscorrectly



leadtoabreach



andsecurity








certificate

















tobelesssecure5

























4 Browsers (PC)






9








place













installed

6 Smartphones







7 Embedded devices








otherrestrictions


























consent



algorithms






asnecessary


10

Chapter 2 Summary








cryptographies










Certificate CA


byservermanager

uponCSRgeneration

(Rootandintermedi-

atecertificatesare

specifiedbyCA)

- (SpecifiedbyCA)

Webserver


Webserver

(Inter-servercom-

munication)

Systemdeveloper

(SIeretc)




developer

Capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite


asSHA-256inonly

availabletoWindows



clientenvironments8


devicemanufacturer

Manymodelsare

capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite

Confirmationre-

quiredasSHA-256

inonlyavailableto

modelsreleasedafter

2009etc

Communication




clientserversystem

Systemdeveloper

(SIer)


11




configuration







functions

















Root certificate






















12



































algorithm





















13























thewrongorder
















Symantec










alsolisted












OpenSSL




HashFunctionforPRF










14






























solariskeytoolhtml




forSHA-2


PCbrowsers



IE7 IE8 IE8orlater

Compatibilitytohash
















requirementforCAs3






providers


15










ofPCbrowsers




2G

cellphone

3G

cellphoneSmartphone

Compatibilityto

hashalgorithm

SHA-2times s7 l



environment







































algorithms









16

















certificates9


2010 2011 2012 2013 2014 2015 2016 2017













STOPSTOP

STOPSTOP


17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D




Contents

Introduction 3

Encryption Today 3






Next Steps 7

Conclusion 7


Introduction


























Encryption Today











the RSA algorithm




















and infrastructure










Public Keys

Key Size

Ratio

Protection

from


80 1024 1024 160-223 16 Until 2010

112 2048 2048 224-255 19 Until 2030

128 3072 3072 256-383 112 Beyond 2031

192 7680 7680 384-511 120

256 15360 15360 512+ 130






























transmitted message





















































considered





















coverage

Next Steps













Conclusion












More Information

Visit our website



Call toll-free 1(866) 893-6565 or 1(650) 426-5112



About Symantec







350 Ellis Street


1 (866) 893 6565

wwwsymanteccom




Branch Office









Features








Benefits











bull Wildcard SSL































wwwsymanteccom

UID 2260714



Head Office


Branch Office




Head Office


Branch Office



More information


Head Office


Branch Office




WH

ITE PA

PER

powered by Symantec

White Paper



2

CONTENTS

Chapter 1 Summary 3







Chapter2Summary 10






Requiredactions 17




3

Chapter 1 Summary
























Client environment







future


4











information



Root certificate

Symantecserver ID







Verified































algorithmsrsquo


5
























developed















requirement




of2013











SHA-11

SHA-224 SHA-256

SHA-384 SHA-512





SHA-384 SHA-512







Low

Secu

rity

Hig

h


6







beexposed









compromisedsecurity






orcorporatesystems












Hashfunction






SHA-2

(SHA-224SHA-256etc)






AES128bitetc









Hashfunction





-Collisionattack

-Pre-imageattack




-Brute-forceattack



7

















Environment

component

-Webserver

-PCbrowser


phones)

-Webserver





Server

preparationfor

tests








Itemstotest

regarding

SSLTLS

communication










interactingservers

Possible

reasonsthat

mayproduce

badresults




SHA-2







handleSHA-2


communicationdevice







serverapplication


8





canaddressthem

1 SSL certificate









algorithmscorrectly



leadtoabreach



andsecurity








certificate

















tobelesssecure5

























4 Browsers (PC)






9








place













installed

6 Smartphones







7 Embedded devices








otherrestrictions


























consent



algorithms






asnecessary


10

Chapter 2 Summary








cryptographies










Certificate CA


byservermanager

uponCSRgeneration

(Rootandintermedi-

atecertificatesare

specifiedbyCA)

- (SpecifiedbyCA)

Webserver


Webserver

(Inter-servercom-

munication)

Systemdeveloper

(SIeretc)




developer

Capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite


asSHA-256inonly

availabletoWindows



clientenvironments8


devicemanufacturer

Manymodelsare

capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite

Confirmationre-

quiredasSHA-256

inonlyavailableto

modelsreleasedafter

2009etc

Communication




clientserversystem

Systemdeveloper

(SIer)


11




configuration







functions

















Root certificate






















12



































algorithm





















13























thewrongorder
















Symantec










alsolisted












OpenSSL




HashFunctionforPRF










14






























solariskeytoolhtml




forSHA-2


PCbrowsers



IE7 IE8 IE8orlater

Compatibilitytohash
















requirementforCAs3






providers


15










ofPCbrowsers




2G

cellphone

3G

cellphoneSmartphone

Compatibilityto

hashalgorithm

SHA-2times s7 l



environment







































algorithms









16

















certificates9


2010 2011 2012 2013 2014 2015 2016 2017













STOPSTOP

STOPSTOP


17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D



Introduction


























Encryption Today











the RSA algorithm




















and infrastructure










Public Keys

Key Size

Ratio

Protection

from


80 1024 1024 160-223 16 Until 2010

112 2048 2048 224-255 19 Until 2030

128 3072 3072 256-383 112 Beyond 2031

192 7680 7680 384-511 120

256 15360 15360 512+ 130






























transmitted message





















































considered





















coverage

Next Steps













Conclusion












More Information

Visit our website



Call toll-free 1(866) 893-6565 or 1(650) 426-5112



About Symantec







350 Ellis Street


1 (866) 893 6565

wwwsymanteccom




Branch Office









Features








Benefits











bull Wildcard SSL































wwwsymanteccom

UID 2260714



Head Office


Branch Office




Head Office


Branch Office



More information


Head Office


Branch Office




WH

ITE PA

PER

powered by Symantec

White Paper



2

CONTENTS

Chapter 1 Summary 3







Chapter2Summary 10






Requiredactions 17




3

Chapter 1 Summary
























Client environment







future


4











information



Root certificate

Symantecserver ID







Verified































algorithmsrsquo


5
























developed















requirement




of2013











SHA-11

SHA-224 SHA-256

SHA-384 SHA-512





SHA-384 SHA-512







Low

Secu

rity

Hig

h


6







beexposed









compromisedsecurity






orcorporatesystems












Hashfunction






SHA-2

(SHA-224SHA-256etc)






AES128bitetc









Hashfunction





-Collisionattack

-Pre-imageattack




-Brute-forceattack



7

















Environment

component

-Webserver

-PCbrowser


phones)

-Webserver





Server

preparationfor

tests








Itemstotest

regarding

SSLTLS

communication










interactingservers

Possible

reasonsthat

mayproduce

badresults




SHA-2







handleSHA-2


communicationdevice







serverapplication


8





canaddressthem

1 SSL certificate









algorithmscorrectly



leadtoabreach



andsecurity








certificate

















tobelesssecure5

























4 Browsers (PC)






9








place













installed

6 Smartphones







7 Embedded devices








otherrestrictions


























consent



algorithms






asnecessary


10

Chapter 2 Summary








cryptographies










Certificate CA


byservermanager

uponCSRgeneration

(Rootandintermedi-

atecertificatesare

specifiedbyCA)

- (SpecifiedbyCA)

Webserver


Webserver

(Inter-servercom-

munication)

Systemdeveloper

(SIeretc)




developer

Capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite


asSHA-256inonly

availabletoWindows



clientenvironments8


devicemanufacturer

Manymodelsare

capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite

Confirmationre-

quiredasSHA-256

inonlyavailableto

modelsreleasedafter

2009etc

Communication




clientserversystem

Systemdeveloper

(SIer)


11




configuration







functions

















Root certificate






















12



































algorithm





















13























thewrongorder
















Symantec










alsolisted












OpenSSL




HashFunctionforPRF










14






























solariskeytoolhtml




forSHA-2


PCbrowsers



IE7 IE8 IE8orlater

Compatibilitytohash
















requirementforCAs3






providers


15










ofPCbrowsers




2G

cellphone

3G

cellphoneSmartphone

Compatibilityto

hashalgorithm

SHA-2times s7 l



environment







































algorithms









16

















certificates9


2010 2011 2012 2013 2014 2015 2016 2017













STOPSTOP

STOPSTOP


17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D

















and infrastructure










Public Keys

Key Size

Ratio

Protection

from


80 1024 1024 160-223 16 Until 2010

112 2048 2048 224-255 19 Until 2030

128 3072 3072 256-383 112 Beyond 2031

192 7680 7680 384-511 120

256 15360 15360 512+ 130






























transmitted message





















































considered





















coverage

Next Steps













Conclusion












More Information

Visit our website



Call toll-free 1(866) 893-6565 or 1(650) 426-5112



About Symantec







350 Ellis Street


1 (866) 893 6565

wwwsymanteccom




Branch Office









Features








Benefits











bull Wildcard SSL































wwwsymanteccom

UID 2260714



Head Office


Branch Office




Head Office


Branch Office



More information


Head Office


Branch Office




WH

ITE PA

PER

powered by Symantec

White Paper



2

CONTENTS

Chapter 1 Summary 3







Chapter2Summary 10






Requiredactions 17




3

Chapter 1 Summary
























Client environment







future


4











information



Root certificate

Symantecserver ID







Verified































algorithmsrsquo


5
























developed















requirement




of2013











SHA-11

SHA-224 SHA-256

SHA-384 SHA-512





SHA-384 SHA-512







Low

Secu

rity

Hig

h


6







beexposed









compromisedsecurity






orcorporatesystems












Hashfunction






SHA-2

(SHA-224SHA-256etc)






AES128bitetc









Hashfunction





-Collisionattack

-Pre-imageattack




-Brute-forceattack



7

















Environment

component

-Webserver

-PCbrowser


phones)

-Webserver





Server

preparationfor

tests








Itemstotest

regarding

SSLTLS

communication










interactingservers

Possible

reasonsthat

mayproduce

badresults




SHA-2







handleSHA-2


communicationdevice







serverapplication


8





canaddressthem

1 SSL certificate









algorithmscorrectly



leadtoabreach



andsecurity








certificate

















tobelesssecure5

























4 Browsers (PC)






9








place













installed

6 Smartphones







7 Embedded devices








otherrestrictions


























consent



algorithms






asnecessary


10

Chapter 2 Summary








cryptographies










Certificate CA


byservermanager

uponCSRgeneration

(Rootandintermedi-

atecertificatesare

specifiedbyCA)

- (SpecifiedbyCA)

Webserver


Webserver

(Inter-servercom-

munication)

Systemdeveloper

(SIeretc)




developer

Capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite


asSHA-256inonly

availabletoWindows



clientenvironments8


devicemanufacturer

Manymodelsare

capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite

Confirmationre-

quiredasSHA-256

inonlyavailableto

modelsreleasedafter

2009etc

Communication




clientserversystem

Systemdeveloper

(SIer)


11




configuration







functions

















Root certificate






















12



































algorithm





















13























thewrongorder
















Symantec










alsolisted












OpenSSL




HashFunctionforPRF










14






























solariskeytoolhtml




forSHA-2


PCbrowsers



IE7 IE8 IE8orlater

Compatibilitytohash
















requirementforCAs3






providers


15










ofPCbrowsers




2G

cellphone

3G

cellphoneSmartphone

Compatibilityto

hashalgorithm

SHA-2times s7 l



environment







































algorithms









16

















certificates9


2010 2011 2012 2013 2014 2015 2016 2017













STOPSTOP

STOPSTOP


17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D
























transmitted message





















































considered





















coverage

Next Steps













Conclusion












More Information

Visit our website



Call toll-free 1(866) 893-6565 or 1(650) 426-5112



About Symantec







350 Ellis Street


1 (866) 893 6565

wwwsymanteccom




Branch Office









Features








Benefits











bull Wildcard SSL































wwwsymanteccom

UID 2260714



Head Office


Branch Office




Head Office


Branch Office



More information


Head Office


Branch Office




WH

ITE PA

PER

powered by Symantec

White Paper



2

CONTENTS

Chapter 1 Summary 3







Chapter2Summary 10






Requiredactions 17




3

Chapter 1 Summary
























Client environment







future


4











information



Root certificate

Symantecserver ID







Verified































algorithmsrsquo


5
























developed















requirement




of2013











SHA-11

SHA-224 SHA-256

SHA-384 SHA-512





SHA-384 SHA-512







Low

Secu

rity

Hig

h


6







beexposed









compromisedsecurity






orcorporatesystems












Hashfunction






SHA-2

(SHA-224SHA-256etc)






AES128bitetc









Hashfunction





-Collisionattack

-Pre-imageattack




-Brute-forceattack



7

















Environment

component

-Webserver

-PCbrowser


phones)

-Webserver





Server

preparationfor

tests








Itemstotest

regarding

SSLTLS

communication










interactingservers

Possible

reasonsthat

mayproduce

badresults




SHA-2







handleSHA-2


communicationdevice







serverapplication


8





canaddressthem

1 SSL certificate









algorithmscorrectly



leadtoabreach



andsecurity








certificate

















tobelesssecure5

























4 Browsers (PC)






9








place













installed

6 Smartphones







7 Embedded devices








otherrestrictions


























consent



algorithms






asnecessary


10

Chapter 2 Summary








cryptographies










Certificate CA


byservermanager

uponCSRgeneration

(Rootandintermedi-

atecertificatesare

specifiedbyCA)

- (SpecifiedbyCA)

Webserver


Webserver

(Inter-servercom-

munication)

Systemdeveloper

(SIeretc)




developer

Capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite


asSHA-256inonly

availabletoWindows



clientenvironments8


devicemanufacturer

Manymodelsare

capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite

Confirmationre-

quiredasSHA-256

inonlyavailableto

modelsreleasedafter

2009etc

Communication




clientserversystem

Systemdeveloper

(SIer)


11




configuration







functions

















Root certificate






















12



































algorithm





















13























thewrongorder
















Symantec










alsolisted












OpenSSL




HashFunctionforPRF










14






























solariskeytoolhtml




forSHA-2


PCbrowsers



IE7 IE8 IE8orlater

Compatibilitytohash
















requirementforCAs3






providers


15










ofPCbrowsers




2G

cellphone

3G

cellphoneSmartphone

Compatibilityto

hashalgorithm

SHA-2times s7 l



environment







































algorithms









16

















certificates9


2010 2011 2012 2013 2014 2015 2016 2017













STOPSTOP

STOPSTOP


17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D




































considered





















coverage

Next Steps













Conclusion












More Information

Visit our website



Call toll-free 1(866) 893-6565 or 1(650) 426-5112



About Symantec







350 Ellis Street


1 (866) 893 6565

wwwsymanteccom




Branch Office









Features








Benefits











bull Wildcard SSL































wwwsymanteccom

UID 2260714



Head Office


Branch Office




Head Office


Branch Office



More information


Head Office


Branch Office




WH

ITE PA

PER

powered by Symantec

White Paper



2

CONTENTS

Chapter 1 Summary 3







Chapter2Summary 10






Requiredactions 17




3

Chapter 1 Summary
























Client environment







future


4











information



Root certificate

Symantecserver ID







Verified































algorithmsrsquo


5
























developed















requirement




of2013











SHA-11

SHA-224 SHA-256

SHA-384 SHA-512





SHA-384 SHA-512







Low

Secu

rity

Hig

h


6







beexposed









compromisedsecurity






orcorporatesystems












Hashfunction






SHA-2

(SHA-224SHA-256etc)






AES128bitetc









Hashfunction





-Collisionattack

-Pre-imageattack




-Brute-forceattack



7

















Environment

component

-Webserver

-PCbrowser


phones)

-Webserver





Server

preparationfor

tests








Itemstotest

regarding

SSLTLS

communication










interactingservers

Possible

reasonsthat

mayproduce

badresults




SHA-2







handleSHA-2


communicationdevice







serverapplication


8





canaddressthem

1 SSL certificate









algorithmscorrectly



leadtoabreach



andsecurity








certificate

















tobelesssecure5

























4 Browsers (PC)






9








place













installed

6 Smartphones







7 Embedded devices








otherrestrictions


























consent



algorithms






asnecessary


10

Chapter 2 Summary








cryptographies










Certificate CA


byservermanager

uponCSRgeneration

(Rootandintermedi-

atecertificatesare

specifiedbyCA)

- (SpecifiedbyCA)

Webserver


Webserver

(Inter-servercom-

munication)

Systemdeveloper

(SIeretc)




developer

Capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite


asSHA-256inonly

availabletoWindows



clientenvironments8


devicemanufacturer

Manymodelsare

capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite

Confirmationre-

quiredasSHA-256

inonlyavailableto

modelsreleasedafter

2009etc

Communication




clientserversystem

Systemdeveloper

(SIer)


11




configuration







functions

















Root certificate






















12



































algorithm





















13























thewrongorder
















Symantec










alsolisted












OpenSSL




HashFunctionforPRF










14






























solariskeytoolhtml




forSHA-2


PCbrowsers



IE7 IE8 IE8orlater

Compatibilitytohash
















requirementforCAs3






providers


15










ofPCbrowsers




2G

cellphone

3G

cellphoneSmartphone

Compatibilityto

hashalgorithm

SHA-2times s7 l



environment







































algorithms









16

















certificates9


2010 2011 2012 2013 2014 2015 2016 2017













STOPSTOP

STOPSTOP


17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D















coverage

Next Steps













Conclusion












More Information

Visit our website



Call toll-free 1(866) 893-6565 or 1(650) 426-5112



About Symantec







350 Ellis Street


1 (866) 893 6565

wwwsymanteccom




Branch Office









Features








Benefits











bull Wildcard SSL































wwwsymanteccom

UID 2260714



Head Office


Branch Office




Head Office


Branch Office



More information


Head Office


Branch Office




WH

ITE PA

PER

powered by Symantec

White Paper



2

CONTENTS

Chapter 1 Summary 3







Chapter2Summary 10






Requiredactions 17




3

Chapter 1 Summary
























Client environment







future


4











information



Root certificate

Symantecserver ID







Verified































algorithmsrsquo


5
























developed















requirement




of2013











SHA-11

SHA-224 SHA-256

SHA-384 SHA-512





SHA-384 SHA-512







Low

Secu

rity

Hig

h


6







beexposed









compromisedsecurity






orcorporatesystems












Hashfunction






SHA-2

(SHA-224SHA-256etc)






AES128bitetc









Hashfunction





-Collisionattack

-Pre-imageattack




-Brute-forceattack



7

















Environment

component

-Webserver

-PCbrowser


phones)

-Webserver





Server

preparationfor

tests








Itemstotest

regarding

SSLTLS

communication










interactingservers

Possible

reasonsthat

mayproduce

badresults




SHA-2







handleSHA-2


communicationdevice







serverapplication


8





canaddressthem

1 SSL certificate









algorithmscorrectly



leadtoabreach



andsecurity








certificate

















tobelesssecure5

























4 Browsers (PC)






9








place













installed

6 Smartphones







7 Embedded devices








otherrestrictions


























consent



algorithms






asnecessary


10

Chapter 2 Summary








cryptographies










Certificate CA


byservermanager

uponCSRgeneration

(Rootandintermedi-

atecertificatesare

specifiedbyCA)

- (SpecifiedbyCA)

Webserver


Webserver

(Inter-servercom-

munication)

Systemdeveloper

(SIeretc)




developer

Capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite


asSHA-256inonly

availabletoWindows



clientenvironments8


devicemanufacturer

Manymodelsare

capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite

Confirmationre-

quiredasSHA-256

inonlyavailableto

modelsreleasedafter

2009etc

Communication




clientserversystem

Systemdeveloper

(SIer)


11




configuration







functions

















Root certificate






















12



































algorithm





















13























thewrongorder
















Symantec










alsolisted












OpenSSL




HashFunctionforPRF










14






























solariskeytoolhtml




forSHA-2


PCbrowsers



IE7 IE8 IE8orlater

Compatibilitytohash
















requirementforCAs3






providers


15










ofPCbrowsers




2G

cellphone

3G

cellphoneSmartphone

Compatibilityto

hashalgorithm

SHA-2times s7 l



environment







































algorithms









16

















certificates9


2010 2011 2012 2013 2014 2015 2016 2017













STOPSTOP

STOPSTOP


17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D



More Information

Visit our website



Call toll-free 1(866) 893-6565 or 1(650) 426-5112



About Symantec







350 Ellis Street


1 (866) 893 6565

wwwsymanteccom




Branch Office









Features








Benefits











bull Wildcard SSL































wwwsymanteccom

UID 2260714



Head Office


Branch Office




Head Office


Branch Office



More information


Head Office


Branch Office




WH

ITE PA

PER

powered by Symantec

White Paper



2

CONTENTS

Chapter 1 Summary 3







Chapter2Summary 10






Requiredactions 17




3

Chapter 1 Summary
























Client environment







future


4











information



Root certificate

Symantecserver ID







Verified































algorithmsrsquo


5
























developed















requirement




of2013











SHA-11

SHA-224 SHA-256

SHA-384 SHA-512





SHA-384 SHA-512







Low

Secu

rity

Hig

h


6







beexposed









compromisedsecurity






orcorporatesystems












Hashfunction






SHA-2

(SHA-224SHA-256etc)






AES128bitetc









Hashfunction





-Collisionattack

-Pre-imageattack




-Brute-forceattack



7

















Environment

component

-Webserver

-PCbrowser


phones)

-Webserver





Server

preparationfor

tests








Itemstotest

regarding

SSLTLS

communication










interactingservers

Possible

reasonsthat

mayproduce

badresults




SHA-2







handleSHA-2


communicationdevice







serverapplication


8





canaddressthem

1 SSL certificate









algorithmscorrectly



leadtoabreach



andsecurity








certificate

















tobelesssecure5

























4 Browsers (PC)






9








place













installed

6 Smartphones







7 Embedded devices








otherrestrictions


























consent



algorithms






asnecessary


10

Chapter 2 Summary








cryptographies










Certificate CA


byservermanager

uponCSRgeneration

(Rootandintermedi-

atecertificatesare

specifiedbyCA)

- (SpecifiedbyCA)

Webserver


Webserver

(Inter-servercom-

munication)

Systemdeveloper

(SIeretc)




developer

Capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite


asSHA-256inonly

availabletoWindows



clientenvironments8


devicemanufacturer

Manymodelsare

capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite

Confirmationre-

quiredasSHA-256

inonlyavailableto

modelsreleasedafter

2009etc

Communication




clientserversystem

Systemdeveloper

(SIer)


11




configuration







functions

















Root certificate






















12



































algorithm





















13























thewrongorder
















Symantec










alsolisted












OpenSSL




HashFunctionforPRF










14






























solariskeytoolhtml




forSHA-2


PCbrowsers



IE7 IE8 IE8orlater

Compatibilitytohash
















requirementforCAs3






providers


15










ofPCbrowsers




2G

cellphone

3G

cellphoneSmartphone

Compatibilityto

hashalgorithm

SHA-2times s7 l



environment







































algorithms









16

















certificates9


2010 2011 2012 2013 2014 2015 2016 2017













STOPSTOP

STOPSTOP


17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D








Features








Benefits











bull Wildcard SSL































wwwsymanteccom

UID 2260714



Head Office


Branch Office




Head Office


Branch Office



More information


Head Office


Branch Office




WH

ITE PA

PER

powered by Symantec

White Paper



2

CONTENTS

Chapter 1 Summary 3







Chapter2Summary 10






Requiredactions 17




3

Chapter 1 Summary
























Client environment







future


4











information



Root certificate

Symantecserver ID







Verified































algorithmsrsquo


5
























developed















requirement




of2013











SHA-11

SHA-224 SHA-256

SHA-384 SHA-512





SHA-384 SHA-512







Low

Secu

rity

Hig

h


6







beexposed









compromisedsecurity






orcorporatesystems












Hashfunction






SHA-2

(SHA-224SHA-256etc)






AES128bitetc









Hashfunction





-Collisionattack

-Pre-imageattack




-Brute-forceattack



7

















Environment

component

-Webserver

-PCbrowser


phones)

-Webserver





Server

preparationfor

tests








Itemstotest

regarding

SSLTLS

communication










interactingservers

Possible

reasonsthat

mayproduce

badresults




SHA-2







handleSHA-2


communicationdevice







serverapplication


8





canaddressthem

1 SSL certificate









algorithmscorrectly



leadtoabreach



andsecurity








certificate

















tobelesssecure5

























4 Browsers (PC)






9








place













installed

6 Smartphones







7 Embedded devices








otherrestrictions


























consent



algorithms






asnecessary


10

Chapter 2 Summary








cryptographies










Certificate CA


byservermanager

uponCSRgeneration

(Rootandintermedi-

atecertificatesare

specifiedbyCA)

- (SpecifiedbyCA)

Webserver


Webserver

(Inter-servercom-

munication)

Systemdeveloper

(SIeretc)




developer

Capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite


asSHA-256inonly

availabletoWindows



clientenvironments8


devicemanufacturer

Manymodelsare

capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite

Confirmationre-

quiredasSHA-256

inonlyavailableto

modelsreleasedafter

2009etc

Communication




clientserversystem

Systemdeveloper

(SIer)


11




configuration







functions

















Root certificate






















12



































algorithm





















13























thewrongorder
















Symantec










alsolisted












OpenSSL




HashFunctionforPRF










14






























solariskeytoolhtml




forSHA-2


PCbrowsers



IE7 IE8 IE8orlater

Compatibilitytohash
















requirementforCAs3






providers


15










ofPCbrowsers




2G

cellphone

3G

cellphoneSmartphone

Compatibilityto

hashalgorithm

SHA-2times s7 l



environment







































algorithms









16

















certificates9


2010 2011 2012 2013 2014 2015 2016 2017













STOPSTOP

STOPSTOP


17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D






bull Wildcard SSL































wwwsymanteccom

UID 2260714



Head Office


Branch Office




Head Office


Branch Office



More information


Head Office


Branch Office




WH

ITE PA

PER

powered by Symantec

White Paper



2

CONTENTS

Chapter 1 Summary 3







Chapter2Summary 10






Requiredactions 17




3

Chapter 1 Summary
























Client environment







future


4











information



Root certificate

Symantecserver ID







Verified































algorithmsrsquo


5
























developed















requirement




of2013











SHA-11

SHA-224 SHA-256

SHA-384 SHA-512





SHA-384 SHA-512







Low

Secu

rity

Hig

h


6







beexposed









compromisedsecurity






orcorporatesystems












Hashfunction






SHA-2

(SHA-224SHA-256etc)






AES128bitetc









Hashfunction





-Collisionattack

-Pre-imageattack




-Brute-forceattack



7

















Environment

component

-Webserver

-PCbrowser


phones)

-Webserver





Server

preparationfor

tests








Itemstotest

regarding

SSLTLS

communication










interactingservers

Possible

reasonsthat

mayproduce

badresults




SHA-2







handleSHA-2


communicationdevice







serverapplication


8





canaddressthem

1 SSL certificate









algorithmscorrectly



leadtoabreach



andsecurity








certificate

















tobelesssecure5

























4 Browsers (PC)






9








place













installed

6 Smartphones







7 Embedded devices








otherrestrictions


























consent



algorithms






asnecessary


10

Chapter 2 Summary








cryptographies










Certificate CA


byservermanager

uponCSRgeneration

(Rootandintermedi-

atecertificatesare

specifiedbyCA)

- (SpecifiedbyCA)

Webserver


Webserver

(Inter-servercom-

munication)

Systemdeveloper

(SIeretc)




developer

Capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite


asSHA-256inonly

availabletoWindows



clientenvironments8


devicemanufacturer

Manymodelsare

capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite

Confirmationre-

quiredasSHA-256

inonlyavailableto

modelsreleasedafter

2009etc

Communication




clientserversystem

Systemdeveloper

(SIer)


11




configuration







functions

















Root certificate






















12



































algorithm





















13























thewrongorder
















Symantec










alsolisted












OpenSSL




HashFunctionforPRF










14






























solariskeytoolhtml




forSHA-2


PCbrowsers



IE7 IE8 IE8orlater

Compatibilitytohash
















requirementforCAs3






providers


15










ofPCbrowsers




2G

cellphone

3G

cellphoneSmartphone

Compatibilityto

hashalgorithm

SHA-2times s7 l



environment







































algorithms









16

















certificates9


2010 2011 2012 2013 2014 2015 2016 2017













STOPSTOP

STOPSTOP


17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D













wwwsymanteccom

UID 2260714



Head Office


Branch Office




Head Office


Branch Office



More information


Head Office


Branch Office




WH

ITE PA

PER

powered by Symantec

White Paper



2

CONTENTS

Chapter 1 Summary 3







Chapter2Summary 10






Requiredactions 17




3

Chapter 1 Summary
























Client environment







future


4











information



Root certificate

Symantecserver ID







Verified































algorithmsrsquo


5
























developed















requirement




of2013











SHA-11

SHA-224 SHA-256

SHA-384 SHA-512





SHA-384 SHA-512







Low

Secu

rity

Hig

h


6







beexposed









compromisedsecurity






orcorporatesystems












Hashfunction






SHA-2

(SHA-224SHA-256etc)






AES128bitetc









Hashfunction





-Collisionattack

-Pre-imageattack




-Brute-forceattack



7

















Environment

component

-Webserver

-PCbrowser


phones)

-Webserver





Server

preparationfor

tests








Itemstotest

regarding

SSLTLS

communication










interactingservers

Possible

reasonsthat

mayproduce

badresults




SHA-2







handleSHA-2


communicationdevice







serverapplication


8





canaddressthem

1 SSL certificate









algorithmscorrectly



leadtoabreach



andsecurity








certificate

















tobelesssecure5

























4 Browsers (PC)






9








place













installed

6 Smartphones







7 Embedded devices








otherrestrictions


























consent



algorithms






asnecessary


10

Chapter 2 Summary








cryptographies










Certificate CA


byservermanager

uponCSRgeneration

(Rootandintermedi-

atecertificatesare

specifiedbyCA)

- (SpecifiedbyCA)

Webserver


Webserver

(Inter-servercom-

munication)

Systemdeveloper

(SIeretc)




developer

Capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite


asSHA-256inonly

availabletoWindows



clientenvironments8


devicemanufacturer

Manymodelsare

capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite

Confirmationre-

quiredasSHA-256

inonlyavailableto

modelsreleasedafter

2009etc

Communication




clientserversystem

Systemdeveloper

(SIer)


11




configuration







functions

















Root certificate






















12



































algorithm





















13























thewrongorder
















Symantec










alsolisted












OpenSSL




HashFunctionforPRF










14






























solariskeytoolhtml




forSHA-2


PCbrowsers



IE7 IE8 IE8orlater

Compatibilitytohash
















requirementforCAs3






providers


15










ofPCbrowsers




2G

cellphone

3G

cellphoneSmartphone

Compatibilityto

hashalgorithm

SHA-2times s7 l



environment







































algorithms









16

















certificates9


2010 2011 2012 2013 2014 2015 2016 2017













STOPSTOP

STOPSTOP


17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D



WH

ITE PA

PER

powered by Symantec

White Paper



2

CONTENTS

Chapter 1 Summary 3







Chapter2Summary 10






Requiredactions 17




3

Chapter 1 Summary
























Client environment







future


4











information



Root certificate

Symantecserver ID







Verified































algorithmsrsquo


5
























developed















requirement




of2013











SHA-11

SHA-224 SHA-256

SHA-384 SHA-512





SHA-384 SHA-512







Low

Secu

rity

Hig

h


6







beexposed









compromisedsecurity






orcorporatesystems












Hashfunction






SHA-2

(SHA-224SHA-256etc)






AES128bitetc









Hashfunction





-Collisionattack

-Pre-imageattack




-Brute-forceattack



7

















Environment

component

-Webserver

-PCbrowser


phones)

-Webserver





Server

preparationfor

tests








Itemstotest

regarding

SSLTLS

communication










interactingservers

Possible

reasonsthat

mayproduce

badresults




SHA-2







handleSHA-2


communicationdevice







serverapplication


8





canaddressthem

1 SSL certificate









algorithmscorrectly



leadtoabreach



andsecurity








certificate

















tobelesssecure5

























4 Browsers (PC)






9








place













installed

6 Smartphones







7 Embedded devices








otherrestrictions


























consent



algorithms






asnecessary


10

Chapter 2 Summary








cryptographies










Certificate CA


byservermanager

uponCSRgeneration

(Rootandintermedi-

atecertificatesare

specifiedbyCA)

- (SpecifiedbyCA)

Webserver


Webserver

(Inter-servercom-

munication)

Systemdeveloper

(SIeretc)




developer

Capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite


asSHA-256inonly

availabletoWindows



clientenvironments8


devicemanufacturer

Manymodelsare

capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite

Confirmationre-

quiredasSHA-256

inonlyavailableto

modelsreleasedafter

2009etc

Communication




clientserversystem

Systemdeveloper

(SIer)


11




configuration







functions

















Root certificate






















12



































algorithm





















13























thewrongorder
















Symantec










alsolisted












OpenSSL




HashFunctionforPRF










14






























solariskeytoolhtml




forSHA-2


PCbrowsers



IE7 IE8 IE8orlater

Compatibilitytohash
















requirementforCAs3






providers


15










ofPCbrowsers




2G

cellphone

3G

cellphoneSmartphone

Compatibilityto

hashalgorithm

SHA-2times s7 l



environment







































algorithms









16

















certificates9


2010 2011 2012 2013 2014 2015 2016 2017













STOPSTOP

STOPSTOP


17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D



2

CONTENTS

Chapter 1 Summary 3







Chapter2Summary 10






Requiredactions 17




3

Chapter 1 Summary
























Client environment







future


4











information



Root certificate

Symantecserver ID







Verified































algorithmsrsquo


5
























developed















requirement




of2013











SHA-11

SHA-224 SHA-256

SHA-384 SHA-512





SHA-384 SHA-512







Low

Secu

rity

Hig

h


6







beexposed









compromisedsecurity






orcorporatesystems












Hashfunction






SHA-2

(SHA-224SHA-256etc)






AES128bitetc









Hashfunction





-Collisionattack

-Pre-imageattack




-Brute-forceattack



7

















Environment

component

-Webserver

-PCbrowser


phones)

-Webserver





Server

preparationfor

tests








Itemstotest

regarding

SSLTLS

communication










interactingservers

Possible

reasonsthat

mayproduce

badresults




SHA-2







handleSHA-2


communicationdevice







serverapplication


8





canaddressthem

1 SSL certificate









algorithmscorrectly



leadtoabreach



andsecurity








certificate

















tobelesssecure5

























4 Browsers (PC)






9








place













installed

6 Smartphones







7 Embedded devices








otherrestrictions


























consent



algorithms






asnecessary


10

Chapter 2 Summary








cryptographies










Certificate CA


byservermanager

uponCSRgeneration

(Rootandintermedi-

atecertificatesare

specifiedbyCA)

- (SpecifiedbyCA)

Webserver


Webserver

(Inter-servercom-

munication)

Systemdeveloper

(SIeretc)




developer

Capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite


asSHA-256inonly

availabletoWindows



clientenvironments8


devicemanufacturer

Manymodelsare

capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite

Confirmationre-

quiredasSHA-256

inonlyavailableto

modelsreleasedafter

2009etc

Communication




clientserversystem

Systemdeveloper

(SIer)


11




configuration







functions

















Root certificate






















12



































algorithm





















13























thewrongorder
















Symantec










alsolisted












OpenSSL




HashFunctionforPRF










14






























solariskeytoolhtml




forSHA-2


PCbrowsers



IE7 IE8 IE8orlater

Compatibilitytohash
















requirementforCAs3






providers


15










ofPCbrowsers




2G

cellphone

3G

cellphoneSmartphone

Compatibilityto

hashalgorithm

SHA-2times s7 l



environment







































algorithms









16

















certificates9


2010 2011 2012 2013 2014 2015 2016 2017













STOPSTOP

STOPSTOP


17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D



3

Chapter 1 Summary
























Client environment







future


4











information



Root certificate

Symantecserver ID







Verified































algorithmsrsquo


5
























developed















requirement




of2013











SHA-11

SHA-224 SHA-256

SHA-384 SHA-512





SHA-384 SHA-512







Low

Secu

rity

Hig

h


6







beexposed









compromisedsecurity






orcorporatesystems












Hashfunction






SHA-2

(SHA-224SHA-256etc)






AES128bitetc









Hashfunction





-Collisionattack

-Pre-imageattack




-Brute-forceattack



7

















Environment

component

-Webserver

-PCbrowser


phones)

-Webserver





Server

preparationfor

tests








Itemstotest

regarding

SSLTLS

communication










interactingservers

Possible

reasonsthat

mayproduce

badresults




SHA-2







handleSHA-2


communicationdevice







serverapplication


8





canaddressthem

1 SSL certificate









algorithmscorrectly



leadtoabreach



andsecurity








certificate

















tobelesssecure5

























4 Browsers (PC)






9








place













installed

6 Smartphones







7 Embedded devices








otherrestrictions


























consent



algorithms






asnecessary


10

Chapter 2 Summary








cryptographies










Certificate CA


byservermanager

uponCSRgeneration

(Rootandintermedi-

atecertificatesare

specifiedbyCA)

- (SpecifiedbyCA)

Webserver


Webserver

(Inter-servercom-

munication)

Systemdeveloper

(SIeretc)




developer

Capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite


asSHA-256inonly

availabletoWindows



clientenvironments8


devicemanufacturer

Manymodelsare

capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite

Confirmationre-

quiredasSHA-256

inonlyavailableto

modelsreleasedafter

2009etc

Communication




clientserversystem

Systemdeveloper

(SIer)


11




configuration







functions

















Root certificate






















12



































algorithm





















13























thewrongorder
















Symantec










alsolisted












OpenSSL




HashFunctionforPRF










14






























solariskeytoolhtml




forSHA-2


PCbrowsers



IE7 IE8 IE8orlater

Compatibilitytohash
















requirementforCAs3






providers


15










ofPCbrowsers




2G

cellphone

3G

cellphoneSmartphone

Compatibilityto

hashalgorithm

SHA-2times s7 l



environment







































algorithms









16

















certificates9


2010 2011 2012 2013 2014 2015 2016 2017













STOPSTOP

STOPSTOP


17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D



4











information



Root certificate

Symantecserver ID







Verified































algorithmsrsquo


5
























developed















requirement




of2013











SHA-11

SHA-224 SHA-256

SHA-384 SHA-512





SHA-384 SHA-512







Low

Secu

rity

Hig

h


6







beexposed









compromisedsecurity






orcorporatesystems












Hashfunction






SHA-2

(SHA-224SHA-256etc)






AES128bitetc









Hashfunction





-Collisionattack

-Pre-imageattack




-Brute-forceattack



7

















Environment

component

-Webserver

-PCbrowser


phones)

-Webserver





Server

preparationfor

tests








Itemstotest

regarding

SSLTLS

communication










interactingservers

Possible

reasonsthat

mayproduce

badresults




SHA-2







handleSHA-2


communicationdevice







serverapplication


8





canaddressthem

1 SSL certificate









algorithmscorrectly



leadtoabreach



andsecurity








certificate

















tobelesssecure5

























4 Browsers (PC)






9








place













installed

6 Smartphones







7 Embedded devices








otherrestrictions


























consent



algorithms






asnecessary


10

Chapter 2 Summary








cryptographies










Certificate CA


byservermanager

uponCSRgeneration

(Rootandintermedi-

atecertificatesare

specifiedbyCA)

- (SpecifiedbyCA)

Webserver


Webserver

(Inter-servercom-

munication)

Systemdeveloper

(SIeretc)




developer

Capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite


asSHA-256inonly

availabletoWindows



clientenvironments8


devicemanufacturer

Manymodelsare

capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite

Confirmationre-

quiredasSHA-256

inonlyavailableto

modelsreleasedafter

2009etc

Communication




clientserversystem

Systemdeveloper

(SIer)


11




configuration







functions

















Root certificate






















12



































algorithm





















13























thewrongorder
















Symantec










alsolisted












OpenSSL




HashFunctionforPRF










14






























solariskeytoolhtml




forSHA-2


PCbrowsers



IE7 IE8 IE8orlater

Compatibilitytohash
















requirementforCAs3






providers


15










ofPCbrowsers




2G

cellphone

3G

cellphoneSmartphone

Compatibilityto

hashalgorithm

SHA-2times s7 l



environment







































algorithms









16

















certificates9


2010 2011 2012 2013 2014 2015 2016 2017













STOPSTOP

STOPSTOP


17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D



5
























developed















requirement




of2013











SHA-11

SHA-224 SHA-256

SHA-384 SHA-512





SHA-384 SHA-512







Low

Secu

rity

Hig

h


6







beexposed









compromisedsecurity






orcorporatesystems












Hashfunction






SHA-2

(SHA-224SHA-256etc)






AES128bitetc









Hashfunction





-Collisionattack

-Pre-imageattack




-Brute-forceattack



7

















Environment

component

-Webserver

-PCbrowser


phones)

-Webserver





Server

preparationfor

tests








Itemstotest

regarding

SSLTLS

communication










interactingservers

Possible

reasonsthat

mayproduce

badresults




SHA-2







handleSHA-2


communicationdevice







serverapplication


8





canaddressthem

1 SSL certificate









algorithmscorrectly



leadtoabreach



andsecurity








certificate

















tobelesssecure5

























4 Browsers (PC)






9








place













installed

6 Smartphones







7 Embedded devices








otherrestrictions


























consent



algorithms






asnecessary


10

Chapter 2 Summary








cryptographies










Certificate CA


byservermanager

uponCSRgeneration

(Rootandintermedi-

atecertificatesare

specifiedbyCA)

- (SpecifiedbyCA)

Webserver


Webserver

(Inter-servercom-

munication)

Systemdeveloper

(SIeretc)




developer

Capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite


asSHA-256inonly

availabletoWindows



clientenvironments8


devicemanufacturer

Manymodelsare

capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite

Confirmationre-

quiredasSHA-256

inonlyavailableto

modelsreleasedafter

2009etc

Communication




clientserversystem

Systemdeveloper

(SIer)


11




configuration







functions

















Root certificate






















12



































algorithm





















13























thewrongorder
















Symantec










alsolisted












OpenSSL




HashFunctionforPRF










14






























solariskeytoolhtml




forSHA-2


PCbrowsers



IE7 IE8 IE8orlater

Compatibilitytohash
















requirementforCAs3






providers


15










ofPCbrowsers




2G

cellphone

3G

cellphoneSmartphone

Compatibilityto

hashalgorithm

SHA-2times s7 l



environment







































algorithms









16

















certificates9


2010 2011 2012 2013 2014 2015 2016 2017













STOPSTOP

STOPSTOP


17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D



6







beexposed









compromisedsecurity






orcorporatesystems












Hashfunction






SHA-2

(SHA-224SHA-256etc)






AES128bitetc









Hashfunction





-Collisionattack

-Pre-imageattack




-Brute-forceattack



7

















Environment

component

-Webserver

-PCbrowser


phones)

-Webserver





Server

preparationfor

tests








Itemstotest

regarding

SSLTLS

communication










interactingservers

Possible

reasonsthat

mayproduce

badresults




SHA-2







handleSHA-2


communicationdevice







serverapplication


8





canaddressthem

1 SSL certificate









algorithmscorrectly



leadtoabreach



andsecurity








certificate

















tobelesssecure5

























4 Browsers (PC)






9








place













installed

6 Smartphones







7 Embedded devices








otherrestrictions


























consent



algorithms






asnecessary


10

Chapter 2 Summary








cryptographies










Certificate CA


byservermanager

uponCSRgeneration

(Rootandintermedi-

atecertificatesare

specifiedbyCA)

- (SpecifiedbyCA)

Webserver


Webserver

(Inter-servercom-

munication)

Systemdeveloper

(SIeretc)




developer

Capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite


asSHA-256inonly

availabletoWindows



clientenvironments8


devicemanufacturer

Manymodelsare

capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite

Confirmationre-

quiredasSHA-256

inonlyavailableto

modelsreleasedafter

2009etc

Communication




clientserversystem

Systemdeveloper

(SIer)


11




configuration







functions

















Root certificate






















12



































algorithm





















13























thewrongorder
















Symantec










alsolisted












OpenSSL




HashFunctionforPRF










14






























solariskeytoolhtml




forSHA-2


PCbrowsers



IE7 IE8 IE8orlater

Compatibilitytohash
















requirementforCAs3






providers


15










ofPCbrowsers




2G

cellphone

3G

cellphoneSmartphone

Compatibilityto

hashalgorithm

SHA-2times s7 l



environment







































algorithms









16

















certificates9


2010 2011 2012 2013 2014 2015 2016 2017













STOPSTOP

STOPSTOP


17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D



7

















Environment

component

-Webserver

-PCbrowser


phones)

-Webserver





Server

preparationfor

tests








Itemstotest

regarding

SSLTLS

communication










interactingservers

Possible

reasonsthat

mayproduce

badresults




SHA-2







handleSHA-2


communicationdevice







serverapplication


8





canaddressthem

1 SSL certificate









algorithmscorrectly



leadtoabreach



andsecurity








certificate

















tobelesssecure5

























4 Browsers (PC)






9








place













installed

6 Smartphones







7 Embedded devices








otherrestrictions


























consent



algorithms






asnecessary


10

Chapter 2 Summary








cryptographies










Certificate CA


byservermanager

uponCSRgeneration

(Rootandintermedi-

atecertificatesare

specifiedbyCA)

- (SpecifiedbyCA)

Webserver


Webserver

(Inter-servercom-

munication)

Systemdeveloper

(SIeretc)




developer

Capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite


asSHA-256inonly

availabletoWindows



clientenvironments8


devicemanufacturer

Manymodelsare

capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite

Confirmationre-

quiredasSHA-256

inonlyavailableto

modelsreleasedafter

2009etc

Communication




clientserversystem

Systemdeveloper

(SIer)


11




configuration







functions

















Root certificate






















12



































algorithm





















13























thewrongorder
















Symantec










alsolisted












OpenSSL




HashFunctionforPRF










14






























solariskeytoolhtml




forSHA-2


PCbrowsers



IE7 IE8 IE8orlater

Compatibilitytohash
















requirementforCAs3






providers


15










ofPCbrowsers




2G

cellphone

3G

cellphoneSmartphone

Compatibilityto

hashalgorithm

SHA-2times s7 l



environment







































algorithms









16

















certificates9


2010 2011 2012 2013 2014 2015 2016 2017













STOPSTOP

STOPSTOP


17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D



8





canaddressthem

1 SSL certificate









algorithmscorrectly



leadtoabreach



andsecurity








certificate

















tobelesssecure5

























4 Browsers (PC)






9








place













installed

6 Smartphones







7 Embedded devices








otherrestrictions


























consent



algorithms






asnecessary


10

Chapter 2 Summary








cryptographies










Certificate CA


byservermanager

uponCSRgeneration

(Rootandintermedi-

atecertificatesare

specifiedbyCA)

- (SpecifiedbyCA)

Webserver


Webserver

(Inter-servercom-

munication)

Systemdeveloper

(SIeretc)




developer

Capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite


asSHA-256inonly

availabletoWindows



clientenvironments8


devicemanufacturer

Manymodelsare

capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite

Confirmationre-

quiredasSHA-256

inonlyavailableto

modelsreleasedafter

2009etc

Communication




clientserversystem

Systemdeveloper

(SIer)


11




configuration







functions

















Root certificate






















12



































algorithm





















13























thewrongorder
















Symantec










alsolisted












OpenSSL




HashFunctionforPRF










14






























solariskeytoolhtml




forSHA-2


PCbrowsers



IE7 IE8 IE8orlater

Compatibilitytohash
















requirementforCAs3






providers


15










ofPCbrowsers




2G

cellphone

3G

cellphoneSmartphone

Compatibilityto

hashalgorithm

SHA-2times s7 l



environment







































algorithms









16

















certificates9


2010 2011 2012 2013 2014 2015 2016 2017













STOPSTOP

STOPSTOP


17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D



9








place













installed

6 Smartphones







7 Embedded devices








otherrestrictions


























consent



algorithms






asnecessary


10

Chapter 2 Summary








cryptographies










Certificate CA


byservermanager

uponCSRgeneration

(Rootandintermedi-

atecertificatesare

specifiedbyCA)

- (SpecifiedbyCA)

Webserver


Webserver

(Inter-servercom-

munication)

Systemdeveloper

(SIeretc)




developer

Capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite


asSHA-256inonly

availabletoWindows



clientenvironments8


devicemanufacturer

Manymodelsare

capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite

Confirmationre-

quiredasSHA-256

inonlyavailableto

modelsreleasedafter

2009etc

Communication




clientserversystem

Systemdeveloper

(SIer)


11




configuration







functions

















Root certificate






















12



































algorithm





















13























thewrongorder
















Symantec










alsolisted












OpenSSL




HashFunctionforPRF










14






























solariskeytoolhtml




forSHA-2


PCbrowsers



IE7 IE8 IE8orlater

Compatibilitytohash
















requirementforCAs3






providers


15










ofPCbrowsers




2G

cellphone

3G

cellphoneSmartphone

Compatibilityto

hashalgorithm

SHA-2times s7 l



environment







































algorithms









16

















certificates9


2010 2011 2012 2013 2014 2015 2016 2017













STOPSTOP

STOPSTOP


17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D



10

Chapter 2 Summary








cryptographies










Certificate CA


byservermanager

uponCSRgeneration

(Rootandintermedi-

atecertificatesare

specifiedbyCA)

- (SpecifiedbyCA)

Webserver


Webserver

(Inter-servercom-

munication)

Systemdeveloper

(SIeretc)




developer

Capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite


asSHA-256inonly

availabletoWindows



clientenvironments8


devicemanufacturer

Manymodelsare

capableofhandling

appropriatekey

lengthssuchasRSA

2048bit

Confirmation

requiredaseach

browserhasdifferent

priorityofCipher

Suite

Confirmationre-

quiredasSHA-256

inonlyavailableto

modelsreleasedafter

2009etc

Communication




clientserversystem

Systemdeveloper

(SIer)


11




configuration







functions

















Root certificate






















12



































algorithm





















13























thewrongorder
















Symantec










alsolisted












OpenSSL




HashFunctionforPRF










14






























solariskeytoolhtml




forSHA-2


PCbrowsers



IE7 IE8 IE8orlater

Compatibilitytohash
















requirementforCAs3






providers


15










ofPCbrowsers




2G

cellphone

3G

cellphoneSmartphone

Compatibilityto

hashalgorithm

SHA-2times s7 l



environment







































algorithms









16

















certificates9


2010 2011 2012 2013 2014 2015 2016 2017













STOPSTOP

STOPSTOP


17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D



11




configuration







functions

















Root certificate






















12



































algorithm





















13























thewrongorder
















Symantec










alsolisted












OpenSSL




HashFunctionforPRF










14






























solariskeytoolhtml




forSHA-2


PCbrowsers



IE7 IE8 IE8orlater

Compatibilitytohash
















requirementforCAs3






providers


15










ofPCbrowsers




2G

cellphone

3G

cellphoneSmartphone

Compatibilityto

hashalgorithm

SHA-2times s7 l



environment







































algorithms









16

















certificates9


2010 2011 2012 2013 2014 2015 2016 2017













STOPSTOP

STOPSTOP


17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D



12



































algorithm





















13























thewrongorder
















Symantec










alsolisted












OpenSSL




HashFunctionforPRF










14






























solariskeytoolhtml




forSHA-2


PCbrowsers



IE7 IE8 IE8orlater

Compatibilitytohash
















requirementforCAs3






providers


15










ofPCbrowsers




2G

cellphone

3G

cellphoneSmartphone

Compatibilityto

hashalgorithm

SHA-2times s7 l



environment







































algorithms









16

















certificates9


2010 2011 2012 2013 2014 2015 2016 2017













STOPSTOP

STOPSTOP


17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D



13























thewrongorder
















Symantec










alsolisted












OpenSSL




HashFunctionforPRF










14






























solariskeytoolhtml




forSHA-2


PCbrowsers



IE7 IE8 IE8orlater

Compatibilitytohash
















requirementforCAs3






providers


15










ofPCbrowsers




2G

cellphone

3G

cellphoneSmartphone

Compatibilityto

hashalgorithm

SHA-2times s7 l



environment







































algorithms









16

















certificates9


2010 2011 2012 2013 2014 2015 2016 2017













STOPSTOP

STOPSTOP


17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D



14






























solariskeytoolhtml




forSHA-2


PCbrowsers



IE7 IE8 IE8orlater

Compatibilitytohash
















requirementforCAs3






providers


15










ofPCbrowsers




2G

cellphone

3G

cellphoneSmartphone

Compatibilityto

hashalgorithm

SHA-2times s7 l



environment







































algorithms









16

















certificates9


2010 2011 2012 2013 2014 2015 2016 2017













STOPSTOP

STOPSTOP


17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D



15










ofPCbrowsers




2G

cellphone

3G

cellphoneSmartphone

Compatibilityto

hashalgorithm

SHA-2times s7 l



environment







































algorithms









16

















certificates9


2010 2011 2012 2013 2014 2015 2016 2017













STOPSTOP

STOPSTOP


17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D



16

















certificates9


2010 2011 2012 2013 2014 2015 2016 2017













STOPSTOP

STOPSTOP


17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D



17

Required actions







testing






















inItem4



improvement



Website manager









certificates



latest)




Browser vendors








18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D



18











Table12






After2031 128bit







finaladjustments11



cryptosystems












19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D



19


New Zealand +64 9 9127 201

Singapore +65 6622 1638

Hong Kong +852 30 114 683

Taiwan +886 2 2162 1992






NotesReference














8 Accesscoverage999











More Information


Head Office


Branch Office










Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D









Key Benefits











Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D





Features







mu

tual

ly a

uthen


HTT

PS P


ud

EntErprisE nEtwork









Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D










Branch Office



Cover

Seperator A

Algorithm_Agility

Seperator B


Seperator C


Chapter 1 Summary







Chapter 2 Summary






Required actions



Seperator D


Technical Support Matrixlp.adwebtech.com/cic/SymantechGuide.pdf · Authorities should not issue any...

Documents

Transcript of Technical Support Matrixlp.adwebtech.com/cic/SymantechGuide.pdf · Authorities should not issue any...