1
Symantec Website Security Solutionsand Algorithm Agility AnnouncementsFebruary 13, 2013
Quentin Liu, Sr. Director Engineering
Deena Thomchick, Director of Product Marketing Robert Hoblit, Sr. Director of Product Management
• Website Security Solutions (WSS) Vision and Strategy
• New SSL Encryption Algorithms• Elliptic Curve Cryptography (ECC)• Digital Signature Algorithm (DSA)• Symantec’s Partners for ECC Adoption
• Expanding WSS Portfolio to Protect Future of the Internet and eCommerce
• Symantec Certificate Intelligence Center Service• Symantec Secure App Service• Symantec AdVantage
What’s New
Protecting the Hyper-Connected World
3
InformationExplosion
AdvancedThreats
eCommerce$1 Trillion
30 BillionConnected Devices
Digital &Social Life
Regulatory &Compliance
Technology Advancements
CloudsMobile
Applications
Need for NEW Protection Models to Secure the Future Internet
IT Complexities& Challenges
Advertising$102 Billion
Website Security Solutions VisionEn
able Enable our
customers to meet performance, compliance, privacy and security regulatory requirements
Prot
ect Protect the
information and online presence of our customers and their end users
Trus
t Confer Trust to accelerate the growth of online information sharing and global Internet commerce
4
Enabling people, businesses and countries… to protect and manage their digital information… so they can focus their time and energy achieving their aspirations
4.0
Website Security Solutions Strategy
5
TrustedAdvertising
TrustedShopping
TrustedApplications
Foundation of Trust on the Internet
Key Drivers Demand the Need for New SSL Solutions
NISTRecommendations
ComplianceRequirements
IncreasedAttacks & Outages
Mobile & CloudProliferation
6
ECCDSARSA
Extending Symantec SSL:New Algorithms and Solutions
7
First CA to offer 3 crypto algorithms
Available soon in Managed PKI SSL Certificates
More Choices | Improved Performance | Increased Security
No additional charges for ECC and DSA
Elliptic Curve Cryptography Overview
8
ECC
• Shorter key than RSA
• 256-bit ECC = 3072-bit RSA
• 10k times harder to crack than RSA 2048
• Meets NIST recommendations
Stronger Encryption
1
Efficient Performance
2
• Efficiency increases with higher server loads
• Utilizes less server CPU
• PC’s: Faster page load time
• Ideal for mobile devices
Highly Scalable
3
• Large SSL deployments w/out additional hardware
• Securing the enterprise:
• Use fewer resources
• Lower costs
Future of Crypto Tech
4
• Viable for many years
• Built for Internet of Things
• Supports billions of new devices coming online
• Ideal for Open Networks
• Truly ‘future proof” trust infrastructure in place
9
1.00E+12 1.00E+24 1.00E+28 1.00E+47 1.00E+660
2000
4000
6000
8000
10000
12000
14000
16000
18000
ECCRSA
Key Size (bits)
MIPS Years to break
Current acceptable security
Level [10^24 MIPS years]
ECC Delivers Increased Security10k Times Harder to Break Than RSA Key
SYMC ECC
ECC offers greater security as compared to other prevalent algorithms. Symantec ECC-256 certificates will offer equivalent security of a 3072-bit RSA certificate.
Compared to a 2048 RSA key (which is the industry norm), ECC-256 keys are 10,000 times harder to crack .
Current Ind. Std.
SYMC ECC
The longer the RSA key, the less applicable it becomes in
the real world.
ECC maintains very complex cryptography w/key lengths
that meet demands of reality
Source: Symantec Internal Research and TestingComputations http://www.nsa.gov/business/programs/elliptic_curve.shtml
Improved Server Performance Under Peak Loads
10
• ECC 256 has better performance than RSA at 0, 90k and 200k connections
• ECC performance numbers are expected to significantly improve over time as the industry optimizes for ECC as they did for RSA
• With better performance – customers will need to purchase fewer servers to handle SSL connections – a big cost savings
• Performance Efficiencies- Uses less server power- Handles more requests- Scalable
Source: Symantec Internal Research and Testing
Web pages encrypted w/ECC load faster than those with RSA
Improved Desktop Performance and User Experience
11
As a server gets hit with more traffic,
ECC…
without affecting load…
in less time…
processes more requests…
…than RSASource: Symantec Internal Research and Testing
Industry-leading Companies Partner with Symantec to Accelerate ECC Adoption
12
Symantec RSA and DSA Provides More Choices
13
• RSA is currently 100% of the World’s SSL Certificate install base
• If you’re on the web and see HTTPS, you’re using RSA
• The industry this year will move from 1024 to 2048-bit keys
• From a brute force attack perspective, RSA 2048 keys will be viable until 2030
• DSA was developed by the NSA(US Government) as an alternativeto RSA
• Although historically of interest to the US public sector, it is yet another choice in crypto algorithm
• DSA offers the same security and key length as RSA, with different math
Both RSA and DSA are offered at 2048 bits and areequivalent in security strength and performance
The Most Common SSL Concerns by Enterprises
14
Biggest certificate issues due to the following:
• Unexpected Expirations• Rogue Certificates • Misconfigured
Certificates• Missed Server Install• Security Breaches
What does this cost an enterprise?“Typical company lost $222k last year due to certificate mishaps” • Missed sales
opportunities• Damage to brand
and credibility• Defection to
competitors• Calls to customer
support• Lost productivity• Calls to tech
supportSource: Symantec SSL Management Customer Survey, February 2013
Automation
Symantec® Certificate Intelligence Center 2.0
15
Discover, Track and Automate SSL Certificate lifecycle
• Avoid painful, multi-step process to renew, replace and install a certificate• Consolidate to Symantec certificates• Auto-discover supported applications• Eliminate human error and installation overhead
Discovery and Business Continuity
• Highly optimized discovery of SSL certificates• Scheduled and on-demand discovery capabilities• Rich reporting functionality• Notification capabilities
New
Security and Control
Symantec® Secure App Service
16
Secure and Track Code Signing Keys
• Prevent security compromise with unique keys for each signing • Maintain control and avoid stolen or misplaced keys by storing keys with a trusted Certificate
Authority • Ensure accountability with full audit and reporting capabilities• Provide support for a wide range of file options including Microsoft Authenticode, Java .jar,
Java Mobile and Android• Easily integrate with enterprise environment via SOAP API• Full management GUI available in Summer 2013
New
17
Malvertisements and Repercussions
• Business Disruption• Loss of Revenue• Brand and Reputation Damage• Long Term Business Impact• Reparation Costs
Prime Time for Attacks:
Peak online traffic, long weekend, etc.
Increase 20x from 2010 to
2012
50% + publishers
have experienced
1+ times
Repercussions
An advertisement infected with malware = malvertisement
Source: Symantec AdVantage Malvertising SurveySeptember 2012
Symantec® AdVantage
18
Real-time detection, notification and analysis of malvertisements
• Avoid browser shutdowns and being blacklisted with real-time detection and instant notification of malvertisements
• Identify new threats including zero-day threats, with new revolutionary scanning methodology
• Improve security with visual ad trace-back to track source of malvertisement • Develop strategic business decisions based on detailed ad analytics, reputation
scores and other key data points
Brand Protection and Business Continuity
“Symantec AdVantage provides critical security against the malicious advertisements that can ruin display advertising, damage brand
reputation and ultimately, hurt eCommerce businesses.”
Eng Tat, Head of Technology Development, Innity
WSS Advances Future of Online Trust and Protection
19
• Leadership: Algorithm Agility with ECC, DSA and RSA
• First Certificate Authority (CA) to offer commercially available ECC solutions for:
- Improved protection- Improved server performance under peak loads- Improved desktop performance for better end user experience- Meeting NIST, government and compliance requirements
• Symantec partners with industry leaders to accelerate ECC adoption
• New to WSS Portfolio: CIC v2, Secure App Service, AdVantage
Symantec Website Security Solutionsaccelerates the growth of online information sharing and eCommerce
Q A
20
Thank you!
Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Presentation Identifier Goes Here 21
Presenter’s NamePresenter’s EmailPresenter’s Phone
Quotes“The future is going to necessitate increasingly higher security cryptography and Akamai sees ECC as a technology that will allow cloud platforms to scale to meet those security demands without the crippling complexity of today’s common algorithms,” explained Stephen Ludin, chief architect, Akamai Technologies. “It is a significant step forward to better protect our data online in this hyper-connected world. As the Certificate Authority ecosystem for ECC gets ready, we will be building support into the Akamai Intelligent Platform.”
“Citrix recognizes that ECC encryption represents the future of SSL encryption,” said Steve Shah, Sr. Director, Citrix. “This shift in the cryptographic infrastructure is clearly a next generation approach to the security ecosystem, allowing for better scalability in cloud computing and the supporting infrastructure. Once the certification authority infrastructure is in place, the trend will be clear to follow for networking product groups to make remote datacenters more accessible quickly, even allowing for increasing key sizes and increasing security needs.”
“F5 helps customers seamlessly combine industry-leading traffic management with security and access solutions, including VPN and SSL encryption capabilities,” said Jason Needham, VP of Product Management and Product Marketing, F5 Networks. “One of the primary goals is to give organizations more choice and flexibility in deploying technologies to suit their business needs. F5 is proud to team up with leaders like Symantec to help enterprises and service providers enhance web and mobile security while scaling to better support cloud and BYOD initiatives.”
“We believe in constantly furthering web security, which is why Chrome supports Elliptic Curve Digital Signature Algorithm (ECDSA) on all modern operating systems,” said Adam Langley, software engineer at Google.
Quotes“HID Global specializes in security access solutions for the cloud, data and the door, with a comprehensive portfolio incorporating both physical and logical access solutions,” said Julian Lovelock, VP of Product Marketing at HID Global. “We’re very supportive of the new DSA and ECC algorithm options emerging in the marketplace, and we strongly feel that where the NIST Suite B has drawn up the future of security algorithms, the industry will follow.”
"Juniper's SSL VPN solution, #1 in the world market, supports both ECC and DSA algorithms for added security and flexibility. The Junos Pulse SSL VPN client and gateway software are both FIPS compliant,” said Michael Callahan, VP of product marketing, Juniper Networks. “We are fully committed to and continue to invest in standards-based security solutions, including the strictest of NIST Suite B standards for our customers, across federal, enterprise and service provider markets.”
“At Opera we are committed to both high quality and security, and we welcome the adoption of new and improved security standards on the web. Elliptic Curve Cryptography provides significant improvements over earlier algorithm standards, and we are delighted to see Symantec support it. Opera's Presto engine added support for ECC in version 395.” Source: Security Manager at Opera
“Red Hat and Symantec have long collaborated to bring compelling, secure solutions to our customers. We continue to be interested in providing the advantages of increased security and computational efficiency that elliptical curve cryptography (ECC) offers for key management and digital signature, and have been an active participant with Symantec in Project Beacon. Currently, our Red Hat Certificate System supports ECC public-key cryptographic systems and continues to enhance its web browser and operating system ECC support." - Bryan Che, General Manager, Cloud Business Unit, Red Hat
