On Aug 1, Google is changing its RSA key strength from 1024-bit to 2048-bit key size. According to the US National Institute of Standards and Technology (NIST), if you are using 112-bit security strength and above are conceived reasonable until the end of 2030 on contrary security strength below 112-bit are already believed deprecated.” RSA encryption works on public and private key cipher, you have one key to encrypt and another key is to decrypt the message. In modern security standard, a 1024-bit key is believed equal to 80-bit encryption.
It is assumed that in 2014, Symmetric keys will enhance its key size from minimum 80- bits to minimum 112-bits and in 2031; it will increase from 112 to 128 bits. However, RSA key size will go double from 1024-bit to 2048-bit and in 2031; it will increase from 2048 to 3072-bit. All these upcoming updates are coming due to significant increase in brute force attack.
The director of information security engineering at Google blogged that User’s security and privacy is on acme position for them and for that, Google is changing its RSA key size on every connection made to Google. He added that Google would make changes in their root certificate equipped with 1024-bit RSA key.
As an effect, client software that creates SSL connections to Google must stick to the following requirements:
- Carry out normal validation of the certificate chain.
- Comprise a correctly extensive set of root certificates contained.
- Support to Subject Alternative Names (SANs)
In addition, Client should support the SNI (server name indication) to place the host name on an SSL connection and an extra API call is required for it. If you are not certain your client is applying SNI, then test it against http://googlemail.com. Google also announced that it might frequently change its intermediate certificate authority used for signing.
Most client software will not have any issues with any of these changes, but Google know that some configurations will need some additional steps to avoid complications.
Any device with improper certificate validation will face complications like phones, set-top box, cameras, and apps that do not have update mechanism and do their own certificate validation different from the fundamental operating system. Google is spreading the awareness of the whole system by bringing out these issues. Therefore, software that applies its personal list of trusted roots must offer a method to update that list for future changes like certificate expiry.
The Certificate Authority/Browser Forum has mandatory announced that certificate authorities must issue SSL certificates with a minimum 2048-bit length from 1 January 2014.
Check Your RSA Key
You can check your RSA key on SSL Checker Tool. Below is the image of warning in case your certificate carries RSA key lower than 2048-bit.
Time to Raise Your RSA Key
ClickSSL has stopped issuing 1024-bit SSL certificates from June 2012. As per announcement, all certificates that carries 1024-bit RSA key will expire 31 October 2013. If you purchase certificate after this time, you will get certificate with 2048-bit RSA key. If your certificate is expiring in 2014/2015 then you can continue with 1024-bit RSA key. If you want to upgrade your certificate from 1024-bit to 2048-bit then you can reissue your current certificate at free of cost from ClickSSL.
