symantec™ perfect forward secrecy in info-graphic
DESCRIPTION
Are you worried about value of privacy on the Internet? Must watch this info-graphic about The Value of Perfect Forward Secrecy from Symantec™TRANSCRIPT
01010110 01100001 01101100 01110101 01100101 00100000 01101111 01100110 00100000 01000110 01101111 01110010 01110111 01100001 01110010 01100100 00100000 01010011 01100101 01100011 01110010 01100101 01100011 01111001
01010110 01100001 01101100 01110101 01100101 00100000 01101111 01100110 00100000 01000110 01101111 01110010 01110111 01100001 01110010 01100100 00100000 01010011 01100101 01100011 01110010 01100101 01100011 0111100101010110 01100001 01101100 01110101 01100101 00100000 01101111 01100110 00100000 01000110 01101111 01110010 01110111 01100001 01110010 01100100 00100000 01010011 01100101 01100011 01110010 01100101 01100011 01111001
01010011 01111001 01101101 01100001 01101110 01110100 01100101 01100011
01010011 01111001 01101101 01100001 01101110 01110100 01100101 01100011
01010110 01100001 01101100 01110101 01100101 00100000 01101111 01100110 00100000 01000110 01101111 01110010 01110111 01100001 01110010 01100100 00100000 01010011 01100101 01100011 01110010 01100101 01100011 01111001
01010110 01100001 01101100 01110101 01100101 00100000 01101111 01100110 00100000 01000110 01101111 01110010 01110111 01100001 01110010 01100100 00100000 01010011 01100101 01100011 01110010 01100101 01100011 0111100101010110 01100001 01101100 01110101 01100101 00100000 01101111 01100110 00100000 01000110 01101111 01110010 01110111 01100001 01110010 01100100 00100000 01010011 01100101 01100011 01110010 01100101 01100011 01111001
01010011 01111001 01101101 01100001 01101110 01110100 01100101 01100011
01010011 01111001 01101101 01100001 01101110 01110100 01100101 01100011
01010110 01100001 01101100 01110101 01100101 00100000 01101111 01100110 00100000 01000110 01101111 01110010 01110111 01100001 01110010 01100100 00100000 01010011 01100101 01100011 01110010 01100101 01100011 01111001
01010110 01100001 01101100 01110101 01100101 00100000 01101111 01100110 00100000 01000110 01101111 01110010 01110111 01100001 01110010 01100100 00100000 01010011 01100101 01100011 01110010 01100101 01100011 0111100101010110 01100001 01101100 01110101 01100101 00100000 01101111 01100110 00100000 01000110 01101111 01110010 01110111 01100001 01110010 01100100 00100000 01010011 01100101 01100011 01110010 01100101 01100011 01111001
01010011 01111001 01101101 01100001 01101110 01110100 01100101 01100011
01010011 01111001 01101101 01100001 01101110 01110100 01100101 01100011
01010110 01100001 01101100 01110101 01100101 00100000 01101111 01100110 00100000 01000110 01101111 01110010 01110111 01100001 01110010 01100100 00100000 01010011 01100101 01100011 01110010 01100101 01100011 01111001
01010110 01100001 01101100 01110101 01100101 00100000 01101111 01100110 00100000 01000110 01101111 01110010 01110111 01100001 01110010 01100100 00100000 01010011 01100101 01100011 01110010 01100101 01100011 0111100101010110 01100001 01101100 01110101 01100101 00100000 01101111 01100110 00100000 01000110 01101111 01110010 01110111 01100001 01110010 01100100 00100000 01010011 01100101 01100011 01110010 01100101 01100011 01111001
01010011 01111001 01101101 01100001 01101110 01110100 01100101 01100011
01010011 01111001 01101101 01100001 01101110 01110100 01100101 01100011
Take one look at the numbers, and you’ll see why it’s worth getting to know Perfect Forward Secrecy
When it comes to security, IT professionals need to think ahead: An eavesdropper who records traffic today may successfully decrypt it in the future. A solution is to employ Perfect Forward Secrecy, in which unrecoverable temporary session keys
are generated, used and discarded. When implemented correctly with Elliptic Curve Cryptography (ECC), Perfect Forward Secrecy is more secure than RSA
algorithms and performs better.
The world isn’t safe, and security risks to businesses and consumers are growing.
PRISM PROGRAM
Program of the National Security Administration (NSA)
Revealed by Edward Snowden in spring 2013
Attempt to gain access to the private communications of users of:
Microsoft Yahoo! Google Facebook3
ADOBEZAPPOS.COM LIVINGSOCIAL
24 50 38million customers
affected5million customers
affected6,7million accounts
hacked4
JAN 2012 APR 2013 SEP 2013
RSA
RSA generates a public and private key to encrypt and decode
messages.
Continued use of recoverable keys makes stored data accessible if keys are compromised in the future
PERFECT FORWARD SECRECYWith Perfect Forward Secrecy, keys are randomly generated,
exchanged, and discarded.
Methods include ECDHE (Elliptical Curve DHE) & DHE (Diffie-Helman,
allows shared secret key exchange).
Past messages are protected from future attack
Potential performance improvement, if implemented correctly
All ECDHE servers have ciphers at least as strong as RSA signatures
Perfect Forward Secrecy can be cracked if ciphers are weak or stored incorrectly
4 out of 5 DHE-enabled servers allow ciphers weaker than RSA signatures12
60%18%
of hosts10
ECDHE supported by
of hosts11
DHE supported by
Currently the dominant system, supported by
99.9%
of sites8
CHARACTERISTICS CHARACTERISTICS
Will move from 2048-bit to 4096-bit key size, supported in
2014 by 2% of sites9
2%2048-bit 4096-bit
SECURITY BENEFITS256-bit ECC is estimated to be
10,000 timesas tough to crack as RSA.
When ECC is applied to DSA (called ECDSA), level of
security climbs
160-bit public ECDSA key as secure as 1024-bit DSA key
By default, ECDHE is properly configured for security with
efficient 256-bit key size
Requires periodic or upon-connection new random
key generation
Ephemeral keys cannot be revealed, so even recorded traffic
is safe
PERFORMANCE BENEFITSTests were conducted using Elliptic Curve and RSA for key
exchange and digital signature.
The results?13
For complex page server requests per second:
For multi-domain page server requests per second:
with ECDHE-ECDSA
with RSA-RSA
with ECDHE-ECDSA
with RSA-RSA
Performance improvement of
27%
52%
CPU usage cut about 60% with Elliptic Curve
Perfect Forward Secrecy better than free in terms
of performance
Done properly, Perfect Forward Secrecy protects sensitive information yesterday, today,
and tomorrow. What’s more, it does so while improving performance and user experience.
For more information visit www.symantec.com/SSL or call 1-866-893-6565 or 1-520-477-3111 to speak with a security specialist and find out how certificates
with ECC can offer improved performance and protection for your business.
© 2014 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, and the Norton Secured Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
TO
360265 338265
01010110 01100001 01101100 01110101 01100101 00100000 01101111 01100110 00100000 01000110 01101111 01110010 01110111 01100001 01110010 01100100 00100000 01010011 01100101 01100011 01110010 01100101 01100011 01111001
01010110 01100001 01101100 01110101 01100101 00100000 01101111 01100110 00100000 01000110 01101111 01110010 01110111 01100001 01110010 01100100 00100000 01010011 01100101 01100011 01110010 01100101 01100011 0111100101010110 01100001 01101100 01110101 01100101 00100000 01101111 01100110 00100000 01000110 01101111 01110010 01110111 01100001 01110010 01100100 00100000 01010011 01100101 01100011 01110010 01100101 01100011 01111001
01010011 01111001 01101101 01100001 01101110 01110100 01100101 01100011
01010011 01111001 01101101 01100001 01101110 01110100 01100101 01100011
THE VALUE OFPerfect Forward Secrecy
RSA vs. Perfect Forward Secrecy: Which provides greater security?
Perfect Forward Secrecy, when implemented with ECC, offers significant performance and security benefits.
Conclusion
Sources
TIMELINE OF ADDITIONAL DATA BREACHESNames, encrypted passwords, and encrypted credit and
debit card numbers were among the types of data stolen in these high-profile breaches.
More than 35% increase Nearly 28% increase
1 Finkle, Jim and Egan, Louise. "'Heartbleed' blamed in attack on Canada tax agency, more expected," Reuters.2 Yadron, Danny. "Massive OpenSSL Bug 'Heartbleed' Threatens Sensitive Data," Wall Street Journal.3 Lee, Timothy B. “Here’s everything we know about PRISM to date,” Wonkblog, WashingtonPost.com. 4 Hsieh, Tony. “Security Email.” 5 Swisher, Kara. “LivingSocial Hacked — More Than 50 Million Customer Names, Emails, Birthdates and Encrypted Passwords
Accessed (Internal Memo),” AllThingsD.com.6 “Adobe Breach Impacted At Least 38 Million Users,” KrebsOnSecurity.com.7 Arkin, Brad. “Important Customer Security Announcement,” Adobe Featured Blogs. 8 Huang, Lin-Shung, Adhikarla, Shrikant, Boneh, Dan, and Jackson, Collin. “An Experimental Study of TLS Forward Secrecy
Deployment,” September 2013.9 Ibid.10 Ibid.11 Ibid.12 Ibid.13 Ibid.
HEARTBLEED BUGOnline traffic on over half a million trusted websites vulnerable starting June 2012
2013
2014
Estimated costs to eCommerce and online business in the 100s of millions
Data stolen from the Canadian Tax Agency1
Names, passwords and other private information vulnerable to theft
OpenSSL estimated to encrypt ~2/3 of active websites across the Internet2
RSARSA PERFECT FORWARD SECRECY
PERFECT FORWARD SECRECY