Latest articles in ‘Encryption’

  1. RSA key lengths, elliptic curve cryptography and quantum computing

    Published: Thu 14 December 2017 in Opinions.
    Are RSA keys over 2048 bits overkill? Are elliptic curve the future of cryptography? Is quantum computing a real threat and what is its exact impact?

    Some tools, like PGP, are still stuck1 to legacy cryptography, mainly the RSA algorithm. For such tools, RSA-2048 is often described as strong enough for any foreseeable future, anything above being overkill The GnuPG official documentation in particular even goes this far as considering that using RSA-3027 or RSA-4096 constitutes “an improvement so marginal that it’s really not worth mentioning”, adding that “the way to go would be to switch to elliptical curve cryptography”.

    The assertion that this improvement is “marginal” is debatable, as is the trust in the elliptical curves to protect us in the future.

    Longer RSA keys

    While the NIST considers RSA-2048 to be safe for commercial use up to 2030, it still advises the use of at least a RSA-3072 key for beyond (see BlueKrypt’s Keylength website to get an overview of various recommendations).

    Read quickly, such recommendation …

  2. What is the difference between HTTP and HTTPS with a self-signed certificate?

    Published: Fri 28 August 2015 in Opinions.
    The security and user experience differences and how to safely manage them.

    Security difference

    First, let’s talk about SSL (now called TLS by the way), which adds the ‘S’ at the end of HTTPS and is in charge of “securing the communication“. The clue to answer this question is indeed to fully understand what we mean by “securing the communication”.

    SSL, no matter if it is a self-signed certificate which is being used or one signed by a trusted CA, will ensure that the communication between you and the remote host remains confidential and that no one can tamper with any data exchanged.

    The warning message shown by browser about self-signed certificates is therefore not about that.

    But, how can you be sure that the remote host answering to your requests is really the one you expect? With public websites, for which you have no direct way to authenticate the certificate by yourself, this is just impossible. Here comes external …

Popular tags see all