April 07, 2003, 3:12 PM — A new SSL (Secure Sockets Layer) certificate will provide stronger protection for online transactions by storing private key information in a hardware security module, according to a statement released by VeriSign Inc. and nCipher PLC.
The Hardware Protected SSL Certificate is a joint product of the two companies and combines VeriSign's certificate technology with nCipher's cryptographic hardware.
The new hardware protected version is an effort to address concerns over the security of software-based certificates, according to Stu Vaeth, director of product marketing at nCipher.
Using public key infrastructure (PKI) technology, a public and private encryption key are created simultaneously using the same algorithm by a certificate authority (CA) such as VeriSign.
Messages encrypted by third parties using the public key can be decrypted by the certificate holder using the private key, which is never shared or transmitted over the Internet.
In addition, private keys can be used to authenticate an organization doing business online to those conducting transactions with it. Companies can use their private key to encrypt a digital certificate. Recipients then use the company's public key to decrypt it, verifying the identity of the certificate holder.
Recent research, including a report from Gartner Inc., points to vulnerabilities in software-based certificates. Hackers can capture an SSL certificate's private key from a machine's memory in so-called "key-finding" attacks, he said.
Once a key has been compromised, attackers can post "spoof" Web sites that use the key to impersonate the legitimate certificate holder, or decrypt intercepted SSL traffic offline, according to Vaeth.
The new Hardware Protected SSL Certificate stores an X.509 encryption certificate inside an nCipher nForce or nShield hardware security module. Both nCipher products are certified using FIPS 140-2 (Federal Information Processing Standard), according to the companies.
In addition to providing better private key security, the hardware-based product removes the job of encryption and key management from the Web server and provides SSL acceleration to compensate for the extra processing demanded by encrypted SSL traffic, according to Vaeth.
From the user's standpoint, a new VeriSign seal will adorn sites using the hardware-protected certificate. When users click on the seal, information will be provided that indicates the private key associated with their SSL certificate was generated inside a FIPS 140-2 validated hardware security module, according to Kevin Trilli, director of product marketing at VeriSign.
VeriSign will also be raising the ceiling on its NetSure Warranty protection from US$100,000 to $500,000 for sites using the new Hardware Protected SSL Certificate, Trilli said.