Advanced Cryptographic Algorithms on the SecureSpan SOA Gateway
While the SecureSpan SOA Gateway uses RSA based cryptographic algorithms and the attendant Public Key Infrastructure (PKI) certificates it is possible to substitute more the more advanced Elliptic Curve Cryptographic (ECC) algorithms and certificates. This tutorial explains how to configure the SecureSpan Gateway to use these advanced algorithms.
Elliptic Curve cryptography depends on a different difficult underlying mathematical problem than does RSA cryptography. Security of RSA based cryptography is based on the difficulty of prime factoring a number and the security of ECC is based on calculating the so called discrete logarithm of a an abstract group element. Comparisons of the effective security of the two different algorithms when considering key size have been made [Lenstra99]. RSA key sizes of between 1024 bits and 2048 bits are common. Lenstra and Verheul find that the following ECC key sizes offer the same effective cryptographic security.
| RSA Key Size | ECC Key Size |
| 1028 | 135 |
| 1562 | 172 |
| 2054 | 197 |
The computational difficulty of performing cryptographic calculations is directly related to the key size required by the algorithms. One of the key benefits the ECC algorithms is the consequent reduction in computational resources required to achieve a given level of security.
Using Self-Signed ECC Certificate and Key on the SecureSpan Gateway
Most of the functions required to use ECC cryptography are accomplished through the Manage Private Keys dialog.
To create an ECC key with a self-signed certificate: select the “Create” button, type in a key alias, modify the Subject DN value if required and then select “Create.”
To use the new key and certificate pair use the “Manage Listen Ports” menu item on the “Tasks” menu. You may create an additional listening port or use one of the existing one. Select your new key alias in the “Server Private Key” drop down list. You will have to remove any Ciphers based on RSA from the “Enabled Cipher Suites” pick list.
After enabling the Listen Port you ought to be able to use a sufficiently modern web browser to confirm the SecureSpan Gateway is now using an ECC key and certificate pair. You can use one of the standard services on the Gateway (for example https://ssg.layer7tech.com:9443/ssg/ping). After connecting to the Gateway you can double click the padlock icon on the web browser. Below you can see the Algorithm Identifier and Algorithm Parameters show you that Elliptic Curve Cryptography is being used.
Many other options are possible. You can create a self-signed Certificate Authority capable certificate that you can then start signing individual or server certificates and start building your own Certificate Authority. Have Fun!
References
[Lenstra99] Lenstra, A. K., Verheul, E. R., “Selecting Cryptographic Key Sizes”, http://www.win.tue.nl/~klenstra/key.pdf, 1999.