4

Sometimes I see web pages advertising a site's support for SSL with a given bit length (commonly 128), and saying that visitors need certain browsers that support this. Is 128-bit SSL common now, or have we moved beyond this? What is browser support like for SSL with different key lengths, and how has it changed over time? Was there a race for SSL key length support similar to the current race for HTML5 compliance and JavaScript performance?

Mr. Jefferson
  • 705
  • 1
  • 5
  • 7
  • SSL isn't a cipher, it's a protocol. The key size is dependant entirely on the cipher being used, e.g. RC4, AES, 3DES, etc. – Polynomial Jan 03 '13 at 16:50

2 Answers2

6

In SSL/TLS, the client and the server negotiate the use of a cipher suite which they both support. The cipher suite defines which cryptographic algorithms will be used; in particular, this defines the key length for encryption.

In Days of Yore (circa 1996), regulations about usage and distribution of cryptography were not the same than today; in particular, USA had strict export regulations, limiting the size of keys that software could manage, if said software was to be distributed beyond the USA borders. There were cipher suites with 40-bit keys (so-called "export cipher suites", allowed for general export), cipher suites with 56-bit keys (using the DES algorithm), which could be exported to a handful of "friend countries", and some cipher suites with bigger keys (128 or 168) which could not, theoretically, be exported.

Therefore the first crop of SSL-aware Web browsers could do SSL, but often not with 128-bit keys.

In 2000, the US regulations were lifted. Around the same time, similar regulations in various other countries were also removed or lightened; the general goal was to allow OS and browser vendors to distribute software with support for 128-bit encryption, in a worldwide way. When a site was configured to support only cipher suites with 128-bit keys (or longer), it became customary to add an explicit notice to that effect, just in case the client still uses a browser from the pre-2000 era, never updated. (Of course, a browser which has not been updated in 13 years is likely to induce some other, more serious security issues.)

Browsers and operating systems which do not support 128-bit cipher suites may still be encountered in some countries which exercise forms of democracy where the demo does not cracy much in practice.

Keys longer than 128 bits are useless. 128 bits are already quite enough to ensure that the key length is not a practical weakness (not now, not in 40 years either). Bigger numbers have some appeal on the unaware, who just assume that longer keys are better "generically"; but even though marketing departments are readily using such arguments, this is scientifically unsubstantiated. There are cipher suites in TLS with 256-bit keys; they are handy to placate administrations which have become prey to such illusions.

Community
  • 1
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Are you sure that the export restrictions were lifted in 2000? I know they still existed at the time I took my graduate level cryptography course in 2005. Wikipedia seems to indicate that they still exist as of 2009, they were just relaxed partially in 1996. – AJ Henderson Jan 03 '13 at 18:53
  • 1
    I might use the wrong term, but I say "lifted" as in "raised to another level". There are _still_ regulations, but they allow export of software which does 128-bit encryption (but not higher). Of course there are details (declaration procedures, maximum delays, special cases for a few destination countries...). – Thomas Pornin Jan 03 '13 at 18:55
  • Ah, yeah, I know as of 2005 they were still working on making 128 bit algorithms in foreign countries with foreign teams to avoid US export law. I also clearly remember being informed that my brain now falls under US export law due to the knowledge I got in my course. – AJ Henderson Jan 03 '13 at 18:57
  • @AJHenderson, Thomas Pornin is correct. The export restrictions were not eliminated, but they were greatly relaxed, sufficiently to allow open source software to use strong cryptography, and also sufficient to allow commercial software to use strong cryptography (if the manufacturer follows some very modest steps, I think). – D.W. Jan 03 '13 at 21:05
  • 1
    @D.W. yeah, they are greatly relaxed. As I understand it, It's basically just required that they make someone click a box that says "I am not a resident or national of countries a,b,c,d,e... and agree not to export it to them." It's really kind of a silly law at this point, even if it is still on the books. I think it is more there out of spite at this point. – AJ Henderson Jan 03 '13 at 21:23
3

The big key with 128 bit algorithms on SSL was/is that 128 bit encryption algorithms fall under US Export Control laws and thus any 128 bit encryption designed in the US couldn't be exported to certain locales. That made 56 bit algorithms necessary for certain visitors. As more versions of algorithms have been developed outside the US and thus are exportable, the use of 128 bit algorithms has been able to become more universal.

Currently 128 bit key lengths are considered secure, but I believe there are now commercially available SSL certificates that use at least 256 bit key lengths. I'm not aware of any great rush to get them though as they aren't really all that necessary unless the site needs to be paranoid about future proofing pretty far in to the future.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110