[Cryptography] SSL combines two aspects of communication

Andreas Junius andreas.junius at gmail.com
Tue Jan 13 18:30:50 EST 2015


Hi all,

I've been working on a secure application for a while that is based on 
https. One of the problems I found with SSL is that it combines two 
aspects of communication, i.e. authentication and encryption. These two 
aspects have contradicting requirements. One of the requirements for 
authentication is that the certificate should not frequently change 
(most SSL certificates are valid for one or two years). And I think an 
important requirement for encryption is that a key gets not longer used 
than absolutely necessary, i.e. it should be as short-living as possible.

So what I did was adding an additional level for encryption underneath 
SSL (all at application level for a start). My server has two 
certificates now; the SSL certificate for authentication and another one 
that serves as the servers own CA. The server uses this CA certificate 
to sign what I call an “encryption certificate”, that it delivers to the 
client. This “encryption certificate” gets generated by the application 
server on a regular basis. The interval can be set via parameter, 
depending on the security needs of the application, e.g. re-generate 
after 4 weeks or 2 weeks or even on every request/session.

I did all this because some sources claim the NSA is able to crack a SSL 
key in about 10 days; which means they can then read all communication 
with the targeted server for the remaining validity period of the SSL 
certificate. If the key changes on a regular basis, their job will be 
much harder.

But the question remains: does this system actually add to security? 
What do you think?

Andy


More information about the cryptography mailing list