1Symantec Website Security Solutionsand Algorithm Agility AnnouncementsFebruary 13, 2013Quentin Liu, Sr. Director EngineeringDeena Thomchick, Director of Product Marketing Robert Hoblit, Sr. Director of Product Management1Whats New
Protecting the Hyper-Connected World3InformationExplosion
30 BillionConnected DevicesDigital &Social LifeRegulatory &ComplianceTechnology Advancements
CloudsMobileApplicationsNeed for NEW Protection Models to Secure the Future InternetIT Complexities& Challenges
3Website Security Solutions Vision4Enabling people, businesses and countries to protect and manage their digital information so they can focus their time and energy achieving their aspirations4.04Website Security Solutions Strategy5TrustedAdvertisingTrustedShoppingTrustedApplicationsFoundation of Trust on the Internet
5Key Drivers Demand the Need for New SSL Solutions6
ECCDSARSA6Extending Symantec SSL:New Algorithms and Solutions 7
First CA to offer 3 crypto algorithmsAvailable soon in Managed PKI SSL CertificatesMore Choices | Improved Performance | Increased SecurityNo additional charges for ECC and DSASymantec is the first CA to offer 3 crypto algorithmsRSA 2048, DSA 2028 and ECC 256Included as options, free of chargeDSA included in standard MPKI SSL CertificatesECC and DSA offered in Premium MPKI SSL CertificatesWhy are we launching new algorithms?Offer choice to customersDSA 2048 for US Government preferencesECC 256 for high connection speeds at loadRSA 2048 for safe business as usualIts about the futureMore secure connections to your serversImproved performance on your servers
Pricing for SSL Cert with ECC and DSA Premium Certificates and ServicesSymantec Secure Site Pro - $995Symantec Secure Site Pro EV SSL Certificates with ECC - $1495 (as of 2/13/13)7Elliptic Curve Cryptography Overview8ECCShorter key than RSA256-bit ECC = 3072-bit RSA10k times harder to crack than RSA 2048Meets NIST recommendationsStronger Encryption1Efficient Performance2Efficiency increases with higher server loadsUtilizes less server CPUPCs: Faster page load timeIdeal for mobile devicesHighly Scalable3Large SSL deployments w/out additional hardwareSecuring the enterprise:Use fewer resourcesLower costs
Future of Crypto Tech4Viable for many yearsBuilt for Internet of ThingsSupports billions of new devices coming onlineIdeal for Open NetworksTruly future proof trust infrastructure in place
89Key Size (bits)MIPS Years to breakCurrent acceptable security Level [10^24 MIPS years]ECC Delivers Increased Security10k Times Harder to Break Than RSA KeySYMC ECCECC offers greater security as compared to other prevalent algorithms. Symantec ECC-256 certificates will offer equivalent security of a 3072-bit RSA certificate. Compared to a 2048 RSA key (which is the industry norm), ECC-256 keys are 10,000 times harder to crack.Current Ind. Std.SYMC ECCThe longer the RSA key, the less applicable it becomes in the real world.ECC maintains very complex cryptography w/key lengths that meet demands of realitySource: Symantec Internal Research and TestingComputations http://www.nsa.gov/business/programs/elliptic_curve.shtml The yellow bubble shows that ECC is already years ahead of the current industry standard of 2048-bit encryption, and we havent even began to test the limits of ECCs capabilities to encrypt and protect data.
ECC performs better in comparison to RSA as requests per second increase
This translates into faster page loads for PC
These numbers are preliminary and are expected to greatly improve
Source: Symantec Internal Research and TestingComputations http://www.nsa.gov/business/programs/elliptic_curve.shtml
ECC 384-256-256 RSA 2048-2048-2048
Page sizes: 200K
Specifications8 cores 7 GiB of memoryclock frequency: 2.33 ghznetwork: 1 Gbps
Web server: Apache 2.4.3.openssl: 1.0.1c
Worst case scenario as session reuse = 0%
9Improved Server Performance Under Peak Loads
10ECC 256 has better performance than RSA at 0, 90k and 200k connections
ECC performance numbers are expected to significantly improve over time as the industry optimizes for ECC as they did for RSA
With better performance customers will need to purchase fewer servers to handle SSL connections a big cost savings
Performance EfficienciesUses less server powerHandles more requestsScalable
Source: Symantec Internal Research and TestingWeb pages encrypted w/ECC load faster than those with RSAIn terms of server performance, ECCUses less server powerHandles more requestsScales well to handle:Traffic spikesBusiness growthEnterprise-wide network security
ECC:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHARSA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHAECC 384-256-256 RSA 2048-2048-2048Desktop Page sizes: 0K, 90K, 200KServer specifications8 cores 7 GiB of memoryclock frequency: 2.33 ghznetwork: 1 GbpsWeb server: Apache 2.4.3.openssl: 1.0.1cServer time: includes SSL Handshake time (key derivations: ECDHE) + data encryption + file transfer time Worst case scenario as session reuse = 0%
10Improved Desktop Performance and User Experience11
As a server gets hit with more traffic, ECC
without affecting load in less timeprocesses more requeststhan RSASource: Symantec Internal Research and Testing11Industry-leading Companies Partner with Symantec to Accelerate ECC Adoption12
12Symantec RSA and DSA Provides More Choices13
RSA is currently 100% of the Worlds SSL Certificate install baseIf youre on the web and see HTTPS, youre using RSAThe industry this year will move from 1024 to 2048-bit keysFrom a brute force attack perspective, RSA 2048 keys will be viable until 2030DSA was developed by the NSA(US Government) as an alternativeto RSAAlthough historically of interest to the US public sector, it is yet another choice in crypto algorithmDSA offers the same security and key length as RSA, with different mathBoth RSA and DSA are offered at 2048 bits and areequivalent in security strength and performanceThe Most Common SSL Concerns by Enterprises14InternalapplicationsBiggest certificate issues due to the following:Unexpected ExpirationsRogue Certificates Misconfigured CertificatesMissed Server InstallSecurity Breaches
What does this cost an enterprise?Typical company lost $222k last year due to certificate mishapsMissed sales opportunitiesDamage to brand and credibilityDefection to competitorsCalls to customer supportLost productivityCalls to tech supportSource: Symantec SSL Management Customer Survey, February 201314AutomationSymantec Certificate Intelligence Center 2.015Discover, Track and Automate SSL Certificate lifecycleAvoid painful, multi-step process to renew, replace and install a certificateConsolidate to Symantec certificatesAuto-discover supported applicationsEliminate human error and installation overheadDiscovery and Business ContinuityHighly optimized discovery of SSL certificatesScheduled and on-demand discovery capabilitiesRich reporting functionalityNotification capabilities
New15Security and ControlSymantec Secure App Service16Secure and Track Code Signing KeysPrevent security compromise with unique keys for each signing Maintain control and avoid stolen or misplaced keys by storing keys with a trusted Certificate Authority Ensure accountability with full audit and reporting capabilitiesProvide support for a wide range of file options including Microsoft Authenticode, Java .jar, Java Mobile and AndroidEasily integrate with enterprise environment via SOAP APIFull management GUI available in Summer 2013
New1617Malvertisements and RepercussionsBusiness DisruptionLoss of RevenueBrand and Reputation DamageLong Term Business ImpactReparation Costs
Prime Time for Attacks:Peak online traffic, long weekend, etc.Increase 20x from 2010 to 201250% + publishers have experienced 1+ timesRepercussionsAn advertisement infected with malware = malvertisementSource: Symantec AdVantage Malvertising SurveySeptember 201217Symantec AdVantage18Real-time detection, notification and analysis of malvertisementsAvoid browser shutdowns and being blacklisted with real-time detection and instant notification of malvertisementsIdentify new threats including zero-day threats, with new revolutionary scanning methodology Improve security with visual ad trace-back to track source of malvertisement Develop strategic business decisions based on detailed ad analytics, reputation scores and other key data pointsBrand Protection and Business ContinuitySymantec AdVantage provides critical security against the malicious advertisements that can ruin display advertising, damage brandreputation and ultimately, hurt eCommerce businesses.Eng Tat, Head of Technology Development, Innity18WSS Advances Future of Online Trust and Protection19Leadership: Algorithm Agility with ECC, DSA and RSAFirst Certificate Authority (CA) to offer commercially available ECC solutions for: Improved protectionImproved server performance under peak loadsImproved desktop performance for better end user experienceMeeting NIST, government and compliance requirementsSymantec partners with industry leaders to accelerate ECC adoptionNew to WSS Portfolio: CIC v2, Secure App Service, AdVantage
Symantec Website Security Solutionsaccelerates the growth of online information sharing and eCommerce
19QA2020Presentation Identifier Goes Here21Presenters NamePresenters EmailPresenters PhoneThank you!Copyright 2011 Symantec Corporation. All rights reserved.Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.21QuotesThe future is going to necessitate increasingly higher security cryptography and Akamai sees ECC as a technology that will allow cloud platforms to scale to meet those security demands without the crippling complexity of todays common algorithms, explained Stephen Ludin, chief architect, Akamai Technologies. It is a significant step forward to better protect our data online in this hyper-connected world. As the Certificate Authority ecosystem for ECC gets ready, we will be building support into the Akamai Intelligent Platform.
Citrix recognizes that ECC encryption represents the future of SSL encryption, said Steve Shah, Sr. Director, Citrix. This shift in the cryptographic infrastructure is clearly a next generation approach to the security ecosystem, allowing for better scalability in cloud computing and the supporting infrastructure. Once the certification authority infrastructure is in place, the trend will be clear to follow for networking product groups to make remote datacenters more accessible quickly, even allowing for increasing key sizes and increasing security needs.
F5 helps customers seamlessly combine industry-leading traffic management with security and access solutions, including VPN and SSL encryption capabilities, said Jason Needham, VP of Product Management and Product Marketing, F5 Networks. One of the primary goals is to give organizations more choice and flexibility in deploying technologies to suit their business needs. F5 is proud to team up with leaders like Symantec to help enterprises and service providers enhance web and mobile security while scaling to better support cloud and BYOD initiatives.
We believe in constantly furthering web security, which is why Chrome supports Elliptic Curve Digital Signature Algorithm (ECDSA) on all modern operating systems, said Adam Langley, software engineer at Google.
QuotesHID Global specializes in security access solutions for the cloud, data and the door, with a comprehensive portfolio incorporating both physical and logical access solutions, said Julian Lovelock, VP of Product Marketing at HID Global. Were very supportive of the new DSA and ECC algorithm options emerging in the marketplace, and we strongly feel that where the NIST Suite B has drawn up the future of security algorithms, the industry will follow."Juniper's SSL VPN solution, #1 in the world market, supports both ECC and DSA algorithms for added security and flexibility. The Junos Pulse SSL VPN client and gateway software are both FIPS compliant, said Michael Callahan, VP of product marketing, Juniper Networks. We are fully committed to and continue to invest in standards-based security solutions, including the strictest of NIST Suite B standards for our customers, across federal, enterprise and service provider markets.
At Opera we are committed to both high quality and security, and we welcome the adoption of new and improved security standards on the web. Elliptic Curve Cryptography provides significant improvements over earlier algorithm standards, and we are delighted to see Symantec support it. Opera's Presto engine added support for ECC in version 395. Source: Security Manager at Opera
Red Hat and Symantec have long collaborated to bring compelling, secure solutions to our customers. We continue to be interested in providing the advantages of increased security and computational efficiency that elliptical curve cryptography (ECC) offers for key management and digital signature, and have been an active participant with Symantec in Project Beacon. Currently, our Red Hat Certificate System supports ECC public-key cryptographic systems and continues to enhance its web browser and operating system ECC support." - Bryan Che, General Manager, Cloud Business Unit, Red Hat
Click here to load reader