Skip to main content
ziyad_bakheet
ziyad_bakheet
New Member
February 1, 2018
Question

What is the best! security & Performance For key size for the intercept SSL?

  • February 1, 2018
  • 1 reply
  • 18890 views

Hello 

 

What is the best! security & Performance  For key size for the intercept SSL?

 

I know the height of the key size such as RSA(4096 Bits) Best security. But there is no server that uses this size for encryption and decryption. Although security is important but we must also pay attention to performance; a secure service that does not satisfy performance criteria will no doubt be dropped. See: https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices.

 

My question specifically, When intercepting SSL Certificates intercepted are signed by the root certificate, The root certificate will be a key size RSA(2048 Bits) or RSA(4096 Bits). Now FortiOS 5.4.8 & 5.6.3 Uses a certificate by default (Fortinet_CA_SSL) size RSA(2048 Bits) but i want use root certificate RSA(4096 Bits) Because it's better security and longer time to use and deploy to a large enterprise. If used root certificate RSA(4096 Bits) Is that affects performance or the client? 

 

 I do not understand well what happens when intercepting SSL. I know inspect HTTPS traffic operate by acting as transparent proxies. They terminate and decrypt the client-initiated TLS session, analyze the inner HTTP plaintext, and then initiate a new TLS connection to the destination website. See page2: https://zakird.com/papers/https_interception.pdf

 

But when encryption between the client and the firewall, Is the server key or root key used?

 

Symantec recommends that customers use RSA keys of size 2048 bits or higher, or Elliptic Curve keys on curves of size 224 bits or higher. See page 13: https://symwisedownload.symantec.com//resources/sites/SYMWISE/content/live/DOCUMENTATION/10000/DOC10728/en_US/SSLV_Admin_422x.pdf?__gda__=1517638374_8be8fabe6f2d006a409d57ed787fecf6 

 

Apple Root Certificates uses RSA(4096 Bits) see: Apple Root CA - G2 Root Certificate and Also Amazon and Comodo and others.

 

I will use Root certificate with key size RSA(4096 Bits) with The signature algorithm SHA 384. And not RSA keys of size 2048 bits with  SHA 256. 

Is this better, does it affect performance or client ? And why? 

 

Please answer of experts what is the best? 

 

Appreciate your help.

 

Regards,

 

Ziyad

 

 

 

    1 reply

    emnoc
    emnoc
    New Member
    February 2, 2018

    But when encryption between the client and the firewall, Is the server key or root key used?

     

    The CA root-key is never exposed to the client. The root-key used during the signing and  validation of the issued-certificate.

     

    The SSLclient  is going to negotiate master-key  for the session and only by the public-key  of the web server for example.

    issuing a  certificate from a RootCA that use 4Kbits or more is  not going to make your more protected or less.

     

    As far as  CA that uses 4096 they are few but they do exist. I would way the needs of what you think you need and performance.

     

    run opens speed and select  various key sizes and you we se the  "longer" times

     

    e.g

     

    openssl ssl sped rsa2048

    vrs 

    4098

    or even 1024

     

    Check out a previous blog on examples of running  comparisons

    http://socpuppet.blogspot...ssl-trick-2-stime.html

     

     
    Terms & ConditionsAccessibility statement