Difference between revisions of "CA:MD5and1024"
m (→Dates for Phasing out MD5-based signatures and 1024-bit moduli) |
m (→Dates for Phasing out MD5-based signatures and 1024-bit moduli) |
||
Line 7: | Line 7: | ||
** [http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-131 DRAFT Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes:] Key lengths providing 80 bits of security using approved digital signature algorithms are allowed for '''legacy''' use after 2010. | ** [http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-131 DRAFT Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes:] Key lengths providing 80 bits of security using approved digital signature algorithms are allowed for '''legacy''' use after 2010. | ||
*** This means that the CA must assess the risk involved in issuing such a certificate for legacy use/interoperability, and determine if they are willing to accept the risk, as well as any possible liability. The subject and relying parties also need to determine if they will accept any risks and liabilities. | *** This means that the CA must assess the risk involved in issuing such a certificate for legacy use/interoperability, and determine if they are willing to accept the risk, as well as any possible liability. The subject and relying parties also need to determine if they will accept any risks and liabilities. | ||
− | ** | + | ** Under no circumstances should any party expect continued support for RSA key size smaller than 2048 bits past December 31, 2013. This date could get moved up substantially if necessary to keep our users safe. We recommend all parties involved in secure transactions on the web move away from 1024-bit moduli as soon as possible. |
** CAs who continue to issue certificates with RSA key size smaller than 2048 bits must use randomness in the serial number or in one of the fields in the DN. | ** CAs who continue to issue certificates with RSA key size smaller than 2048 bits must use randomness in the serial number or in one of the fields in the DN. | ||
* '''December 31, 2013''' – Mozilla will disable or remove all root certificates with RSA key sizes smaller than 2048 bits. | * '''December 31, 2013''' – Mozilla will disable or remove all root certificates with RSA key sizes smaller than 2048 bits. |
Revision as of 14:05, 5 October 2010
Dates for Phasing out MD5-based signatures and 1024-bit moduli
High Level Summary of Dates:
- June 30, 2011 – Mozilla will stop accepting MD5 as a hash algorithm for intermediate and end-entity certificates. After this date software published by Mozilla will return an error when a certificate with an MD5-based signature is used.
- This change is being tracked in Bugzilla #590364.
- December 31, 2010 – CAs should stop issuing intermediate and end-entity certificates from roots with RSA key sizes smaller than 2048 bits. All CAs should stop issuing intermediate and end-entity certificates with RSA key size smaller than 2048 bits under any root.
- DRAFT Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes: Key lengths providing 80 bits of security using approved digital signature algorithms are allowed for legacy use after 2010.
- This means that the CA must assess the risk involved in issuing such a certificate for legacy use/interoperability, and determine if they are willing to accept the risk, as well as any possible liability. The subject and relying parties also need to determine if they will accept any risks and liabilities.
- Under no circumstances should any party expect continued support for RSA key size smaller than 2048 bits past December 31, 2013. This date could get moved up substantially if necessary to keep our users safe. We recommend all parties involved in secure transactions on the web move away from 1024-bit moduli as soon as possible.
- CAs who continue to issue certificates with RSA key size smaller than 2048 bits must use randomness in the serial number or in one of the fields in the DN.
- DRAFT Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes: Key lengths providing 80 bits of security using approved digital signature algorithms are allowed for legacy use after 2010.
- December 31, 2013 – Mozilla will disable or remove all root certificates with RSA key sizes smaller than 2048 bits.
Caveats to proposed dates:
- Mozilla will take these actions earlier and at its sole discretion if necessary to keep our users safe.
- CAs may request that their legacy roots be disabled or removed from NSS earlier, according to the Root Change Process
Background
MD5 certificates may be compromised when attackers can create a fake cert that hashes to the same value as one with a legitimate signature, and is hence trusted. Mozilla can mitigate this potential vulnerability by turning off support for MD5-based signatures. The MD5 root certificates don’t necessarily need to be removed from NSS, because the signatures of root certificates are not validated (roots are self-signed). Disabling MD5 will impact intermediate and end entity certificates, where the signatures are validated.
The relevant CAs have confirmed that they stopped issuing MD5 certificates. However, there are still many end entity certificates that would be impacted if support for MD5-based signatures was turned off in 2010. Therefore, we are hoping to give the affected CAs time to react, and are proposing the date of June 30, 2011 for turning off support for MD5-based signatures. The relevant CAs are aware that Mozilla will turn off MD5 support earlier if needed.
The other concern that needs to be addressed is that of RSA1024 being too small a modulus to be robust against faster computers. Unlike a signature algorithm, where only intermediate and end-entity certificates are impacted, fast math means we have to disable or remove all instances of 1024-bit moduli, including the root certificates.
The NIST recommendation is to discontinue 1024-bit RSA certificates by December 31, 2010. Therefore, CAs have been advised that they should not sign any more certificates under their 1024-bit roots by the end of this year.
The date for disabling/removing 1024-bit root certificates will be dependent on the state of the art in public key cryptography, but under no circumstances should any party expect continued support for this modulus size past December 31, 2013. As mentioned above, this date could get moved up substantially if new attacks are discovered. We recommend all parties involved in secure transactions on the web move away from 1024-bit moduli as soon as possible.
NIST Recommendations
According to NIST SP 800-57 the recommended algorithms and minimum key sizes are as follows:
- Through 2010 (minimum of 80 bits of strength)
- FFC (e.g., DSA, D-H) Minimum: L=1024; N=160
- IFC (e.g., RSA) Minimum: k=1024
- ECC (e.g. ECDSA) Minimum: f=160
- Through 2030 (minimum of 112 bits of strength)
- FFC (e.g., DSA, D-H) Minimum: L=2048; N=224
- IFC (e.g., RSA) Minimum: k=2048
- ECC (e.g. ECDSA) Minimum: f=224
- Beyond 2030 (minimum of 128 bits of strength)
- FFC (e.g., DSA, D-H) Minimum: L=3072; N=256
- IFC (e.g., RSA) Minimum: k=3072
- ECC (e.g. ECDSA) Minimum: f=256
The NIST document also has this footnote about the SHA-1 Hash Function:
- SHA-1 has recently been demonstrated to provide less than 80 bits of security for digital signatures; at the publication of this Recommendation, the security strength against collisions is assessed at 69 bits. The use of SHA-1 is not recommended for the generation of digital signatures in new systems; new systems should use one of the larger hash functions. (SHA-224, SHA-256, SHA-384 and SHA-512)
NIST has provided: DRAFT Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes. As of September 14, 2010, NIST representatives are addressing the comments and hope to have a final version posted in the next few weeks. The document (dated June 2010) includes the following guidance.
- Digital signature generation:
- The use of key lengths providing 80 bits of security strength is acceptable for digital signature generation through December 31, 2010.
- From January 1, 2011 through December 31, 2013, the use of key lengths providing 80 bits of security strength is deprecated. The user must accept risk when using these keys, particularly when approaching the December 31, 2013 upper-limit date. This is especially critical for digital signatures on data whose signature is required to be valid beyond this date. Appendix A.2 provides rationale for this modified guidance. See Section 5.6.2 of [SP 800-57] for further guidance.
- After December 31, 2013, key lengths providing less than 112 bits of security strength shall not be used to generate signatures.
- Key lengths providing at least 112 bits of security are acceptable.
- Digital signature verification:
- Key lengths providing 80 bits of security using approved digital signature algorithms are acceptable through 2010.
- Key lengths providing 80 bits of security using approved digital signature algorithms are allowed for legacy use after 2010.
- Key lengths providing at least 112 bits of security using approved digital signature algorithms are acceptable.