3

One of the SSL certificates mentioned here says "128 / 256 bit SSL and 2048 bit CSR encryption". Does that mean that the generating the certificate is very secure but the communications handled by the certificate are not?

Or is "CSR encryption"?!? used to enhance the standard SSL?

Are all 2048 bit certificates as above or are there others which are 2048 bit CSR and 2048 bit SSL?

In short, if I want a very secure certificate, what exactly am I looking for?

Basic
  • 426
  • 2
  • 9
  • 23
  • A CSR is a Certificate Signing Request; it is, in theory, used to indicate the name you want in a certificate as well as to prove that you have possession of the public-key you want attached to that name. – Ram Sep 20 '11 at 18:46

1 Answers1

7

SSL uses several encrypt algorithmic at different points.

Typically it will use a asymmetric cryptography authenticate the hosts and establish trust between the client and server. Then a random key will be generated and shared between the hosts and a symmetric cryptography algorthim will be used for the actual payload.

Typically the asymmetric key will be RSA with key sizes of 1024, 2048, or 4096. The key size doesn't really affect the symmetric that is used for the payload. These days most certificate vendors will sign a 2048 or 4096 certificate request, key sizes of 1024 are pretty weak. While most CA keys are 2048 bits, many will sign larger keys, so you don't have to limit your private key to 2048 bits.

The symmetric algorithim that is used will depend on the client and server. The client and server will select the most secure option available. If you are using apache then you use the SSLCipherSuite to select which symmetric ciphers you will permit.

Asymmetric cryptography is has the large sizes of the keys(2048,4096), and it is very slow. That is why it is only used during the initial phase. Once the connection is established, communication happens over the relatively fast symmetric cryptography which uses the smaller key sizes (128,256).

Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • 3
    Encryption is actually optional in SSL/TLS. Normally SSL is used to authenticate the server, or both the server and the client; then, depending on the configuration of the client and server, it may use the asymmetric keys used for authentication in the initial negotiation steps to generate a (temporary) Master encryption key which is then used to generate (even more temporary) encryption keys. – Ram Sep 20 '11 at 18:49
  • @Zoredache Thank you for the very detailed answer. Can I then clarify - the smaller keys used for the payload - are they unique per packet? That is to say if you broke the asymmetric bit, you'd get the random key which would allow you to calculate the symmetric keys for each packet but breaking a single packet by brute force won't expose anything other than that packet? – Basic Sep 22 '11 at 18:52
  • They are not unique per packet, they are unique per connection. But I believe SSL can periodically change the session key and does for some applications. – Zoredache Sep 22 '11 at 18:59
  • 1
    the bulk encryption key is used for a while, the client or server will decide it is time to generate a new bulk encryption key every oft and again, they use the master secret key. Wikipedia has a [decent walk through](http://en.wikipedia.org/wiki/Transport_Layer_Security#Simple_TLS_handshake) if you're curious on the topic. – Ram Sep 22 '11 at 19:27
  • @Ram and Zoredache thanks both of you - perfect answer :) – Basic Sep 22 '11 at 22:08