CloudFront 宣佈支援 ECDSA 的 Certificate
source link: https://blog.gslin.org/archives/2021/07/16/10241/cloudfront-%e5%ae%a3%e4%bd%88%e6%94%af%e6%8f%b4-ecdsa-%e7%9a%84-certificate/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
CloudFront 宣佈支援 ECDSA 的 Certificate
Amazon CloudFront 宣佈支援 ECDSA 的 certificate:「Amazon CloudFront now supports ECDSA certificates for HTTPS connections to viewers」。
用主要是讓 certificate 更小,讓 HTTPS 建立時的過程更快 (包括了傳輸的速度與計算的速度):
As a result, conducting TLS handshakes with ECDSA certificates requires less networking and computing resources making them a good option for IoT devices that have limited storage and processing capabilities.
很久以前好像有看到資料說 256 bits 的 EC 運算量跟 768~1024 bits 的 RSA 差不多,但一時間找不到資料...
目前 CloudFront 只支援 NIST P-256 (secp256r1,或稱作 prime256v1):
Starting today, you can use Elliptic Curve Digital Signature Algorithm (ECDSA) P256 certificates to negotiate HTTPS connections between your viewers and Amazon CloudFront.
但 NIST P-256 一直為人詬病,在「SafeCurves: choosing safe curves for elliptic-curve cryptography」這邊可以看到 NIST 宣稱的效率設計實際上都不是真的:
Subsequent research (and to some extent previous research) showed that essentially all of these efficiency-related decisions were suboptimal, that many of them actively damaged efficiency, and that some of them were bad for security.
但目前標準是往 NIST P-256、NIST P-384 與 NIST P-521 靠攏 (主要是受到 CA/Browser Forum 的限制),要其他 curve 的 certificate 也沒辦法生,目前可能還是繼續觀望...
Related
OpenSSL 的 ECDH 中,224 bits 速度比 160/192 bits 快的原因
跑 openssl speed ecdh 的時候發現很特別的現象: Doing 160 bit ecdh's for 10s: 40865 160-bit ECDH ops in 9.99s Doing 192 bit ecdh's for 10s: 34169 192-bit ECDH ops in 9.99s Doing 224 bit ecdh's for 10s: 60980 224-bit ECDH ops in 9.99s Doing 256 bit ecdh's for 10s: 34298 256-bit ECDH…
January 29, 2015In "Computer"
GCP 推出 Cloud HSM (beta)
這算是 Google Cloud Platform 在補產品線,讓那些有強制使用 HSM 的需求的應用 (通常是遇到一定要 FIPS 140-2 的規範) 可以搬上雲端:「Introducing Cloud HSM beta for hardware crypto key security」。 從圖片上可以看到 LiquidSecurity,應該是「LiquidSecurity® General Purpose HSM Adapters and Appliances」這個產品: 如同 AWS 的 CloudHSM 服務,GCP 的 Cloud HSM 也是提供 FIPS 140-2 Level 3: Cloud HSM allows you to host encryption keys and…
August 21, 2018In "Cloud"
Let's Encrypt 生了新的 Root 與 Intermediate Certificate
Let's Encrypt 弄了新的 Root Certificate 與 Intermediate Certificate:「Let's Encrypt's New Root and Intermediate Certificates」。 一方面是本來的 Intermediate Certificate 也快要要過期了,另外一方面是要利用 ECDSA 降低傳輸時的頻寬成本: On Thursday, September 3rd, 2020, Let’s Encrypt issued six new certificates: one root, four intermediates, and one cross-sign. These new certificates are part of our larger plan to improve privacy…
September 21, 2020In "Computer"
Author Gea-Suan LinPosted on July 16, 2021Categories AWS, CDN, Cloud, Computer, Murmuring, Network, Service, WWWTags amazon, aws, cdn, certificate, cloud, cloudfront, curve, ecdsa, elliptic, https, network, nist, p256, performance, prime256v1, secp256r1, security, service, speed Leave a Reply Cancel reply
Your email address will not be published. Required fields are marked *
Comment
Name *
Email *
Website
Notify me of follow-up comments by email.
Notify me of new posts by email.
Post navigation
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK