Hot!What is the best! security & Performance For key size for the intercept SSL?

Author
ziyad bakheet
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/10/03 07:17:18
  • Status: offline
2018/02/01 06:51:50 (permalink)
0

What is the best! security & Performance For key size for the intercept SSL?

Hello 
 
What is the best! security & Performance  For key size for the intercept SSL?
 
I know the height of the key size such as RSA(4096 Bits) Best security. But there is no server that uses this size for encryption and decryption. Although security is important but we must also pay attention to performance; a secure service that does not satisfy performance criteria will no doubt be dropped. See: https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices.
 
My question specifically, When intercepting SSL Certificates intercepted are signed by the root certificate, The root certificate will be a key size RSA(2048 Bits) or RSA(4096 Bits). Now FortiOS 5.4.8 & 5.6.3 Uses a certificate by default (Fortinet_CA_SSL) size RSA(2048 Bits) but i want use root certificate RSA(4096 Bits) Because it's better security and longer time to use and deploy to a large enterprise. If used root certificate RSA(4096 Bits) Is that affects performance or the client? 
 
 I do not understand well what happens when intercepting SSL. I know inspect HTTPS traffic operate by acting as transparent proxies. They terminate and decrypt the client-initiated TLS session, analyze the inner HTTP plaintext, and then initiate a new TLS connection to the destination website. See page2: https://zakird.com/papers/https_interception.pdf
 
But when encryption between the client and the firewall, Is the server key or root key used?
 
Symantec recommends that customers use RSA keys of size 2048 bits or higher, or Elliptic Curve keys on curves of size 224 bits or higher. See page 13: https://symwisedownload.symantec.com//resources/sites/SYMWISE/content/live/DOCUMENTATION/10000/DOC10728/en_US/SSLV_Admin_422x.pdf?__gda__=1517638374_8be8fabe6f2d006a409d57ed787fecf6 
 
Apple Root Certificates uses RSA(4096 Bits) see: Apple Root CA - G2 Root Certificate and Also Amazon and Comodo and others.
 
I will use Root certificate with key size RSA(4096 Bits) with The signature algorithm SHA 384. And not RSA keys of size 2048 bits with  SHA 256. 
Is this better, does it affect performance or client ? And why? 
 
Please answer of experts what is the best? 
 
Appreciate your help.
 
Regards,
 
Ziyad
 
 
 
post edited by ziyad bakheet - 2018/02/01 12:42:44
#1

1 Reply Related Threads

    emnoc
    Expert Member
    • Total Posts : 4778
    • Scores: 290
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: What is the best! security & Performance For key size for the intercept SSL? 2018/02/01 18:45:08 (permalink)
    0

    But when encryption between the client and the firewall, Is the server key or root key used?

     
    The CA root-key is never exposed to the client. The root-key used during the signing and  validation of the issued-certificate.
     
    The SSLclient  is going to negotiate master-key  for the session and only by the public-key  of the web server for example.
    issuing a  certificate from a RootCA that use 4Kbits or more is  not going to make your more protected or less.
     
    As far as  CA that uses 4096 they are few but they do exist. I would way the needs of what you think you need and performance.
     
    run opens speed and select  various key sizes and you we se the  "longer" times
     
    e.g
     
    openssl ssl sped rsa2048
    vrs 
    4098
    or even 1024
     
    Check out a previous blog on examples of running  comparisons
    http://socpuppet.blogspot...ssl-trick-2-stime.html
     
     

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #2
    Jump to:
    © 2018 APG vNext Commercial Version 5.5