Encryption Algorithm and key size


#1

hello
we are a big company in hosting
one of our customer had a question
1-
lets encrypt use what Encryption Algorithm
2-lets encrypt security key size

thanks
best regards
besi


#2

In the SSL / TLS system, the encryption algorithms and key sizes actually used to secure communications between parties are negotiated for each connection, and are not controlled by the Certificate Authority (Let’s Encrypt). The customer should configure their software security settings to permit or refuse algorithms and key sizes depending on their needs. The web browser vendor Mozilla provides a site which gives some useful advice for common web servers, here:

https://mozilla.github.io/server-side-tls/ssl-config-generator/

The certificates themselves issued by Let’s Encrypt to subscribers (like your customer) use either Elliptic Curve or RSA of at least 2048 bits. The private key held by Let’s Encrypt to provide their service is a 4096 bit RSA key.


#3

@radcom

A thing to note though. While LetsEncrypt will issue and allow users to use Elliptical Curve Cryptography not all clients support this options.

Andrei


#4

To elaborate on that, Let’s Encrypt currently accepts the following named elliptic curves:

  • NIST P-256 (OpenSSL prime256v1);
  • NIST P-384 (OpenSSL secp384r1).

Unfortunately, support for NIST P-521 (OpenSSL secp521r1) was not included due to… Well… I’m still not really sure… Something about lack of browser support, although Firefox, Opera and Safari support the curve… :disappointed:


#5

Some of Let’s Encrypt’s dependencies also didn’t support P-521, though it has since been added to at least one.



#6

That’s quite a while back in the meantime… :slight_smile: Also, in 2015 the argument actually was browser support:

Also, feedback from our technical advisory board is to not yet sign P521 keys, since support isn’t there yet in the browsers.


#7

By the way, the customer can also look in the browser information (though perhaps not on recent versions of Chome :slight_frown:) when connecting to the site to see the cryptographic details about the connection’s security. These details are visible for any visitor to any site.

As @tialaramex says, many of the details about the connection security are agreed each time between the browser and the web server for each individual connection, and could be different for one user and another user.

Probably the number that most people would think of first is the size of the private key corresponding to the web site’s certificate, which for RSA certificates can be 2048, 3072, or 4096 bits, depending on what was specified when the certificate was obtained. But in fact, this parameter is very unlikely to be the most relevant to assess the overall security of the connection; other technical details are generally more relevant in practice.


#8

Offtopic:
Users of recent Chrome versions can press F12 or Ctrl-Shift-i and check the Security tab in the developer toolbar :wink: Not a fan of the change though, to keep this information so far hidden for regular users…


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.