Next-Generation Security for the Apache Web Server

Elliptic Curve Cryptography (ECC) is a next-generation public-key cryptographic technology that is more resource efficient than RSA (learn why) and was recently endorsed by the NSA for protecting sensitive US Government Information (see The Case for ECC and Suite B).

Sun Labs has played a major role in promoting wide-spread industry adoption of this technology by:

  1. Leading the standardization of ECC within SSL/TLS, the dominant security protocol used on the Internet (see RFC 4492 and its earlier versions).
  2. Contributing ECC technology to OpenSSL (version 0.9.8 and later) and NSS/Mozilla (version 3.8 and later) -- two cryptographic libraries that power the world's most popular open source web server (Apache) and browser (Firefox), respectively.
  3. Initiating and leading a cross-vendor ECC Interoperability Forum (with participants from Apache, Certicom, Microsoft, Mozilla, OpenSSL, Red Hat, RSA, Sun and Verisign) to ensure seamless interoperability between ECC-enabled offerings from different companies.

ECC has been part of Firefox since October 2006 when version 2.0 was released but isn't yet included in the default build of the Apache web server (see Bug 40132). I recently updated the patch and corresponding instructions to create an ECC-enabled version of Apache 2.2.11 with OpenSSL 1.0.0-beta2. If you happen to try out the patch, I'd love to get your feedback.

In case you are wondering "why should I care?", think of this as another step in reducing the computational cost of security so service providers like Amazon, Facebook, Google and Yahoo can turn on HTTPS by default for all user interactions (not just the login phase), thereby boosting privacy on the Internet.

Comments:

Really ofcourse ECC is the lightweight alternative to RSA, but let me know how an ECC will be implemented in SunSpot using Java, can anyone provide/show me a simple algorithm of ECC implemented in Java using sqwake JVM, thanks

Posted by SANA UL HAQ on June 22, 2009 at 01:00 PM PDT #

Also let's not forget that Sun's own Web Server 7 has had ECC support (thanks to Vipul's work with NSS) since early 2007, so no need to wait for Apache to catch up:

http://blogs.sun.com/jyrivirkki/entry/sun_ecc_and_web_server

Posted by Jyri Virkki on June 22, 2009 at 04:31 PM PDT #

For those of us who participated in Rob Harley's exercises to crack ECDL ( http://cristal.inria.fr/~harley/ecdl/ ), some reference to that might help with putting the current standard in context. I'm struggling to find any reference by just following your links.

Posted by niq on June 22, 2009 at 04:41 PM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Vipul Gupta

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today