A new SSL (Secure Sockets Layer) certificate will provide stronger protection for online transactions by storing private key information in a hardware security module, according to a statement released by VeriSign Inc. and nCipher PLC.
The Hardware Protected SSL Certificate is a joint product of the two companies and combines VeriSign's certificate technology with nCipher's cryptographic hardware.
The new hardware protected version is an effort to address concerns over the security of software-based certificates, according to Stu Vaeth, director of product marketing at nCipher.
Using public key infrastructure (PKI) technology, a public and private encryption key are created simultaneously using the same algorithm by a certificate authority (CA) such as VeriSign.
Messages encrypted by third parties using the public key can be decrypted by the certificate holder using the private key, which is never shared or transmitted over the Internet.
In addition, private keys can be used to authenticate an organization doing business online to those conducting transactions with it. Companies can use their private key to encrypt a digital certificate. Recipients then use the company's public key to decrypt it, verifying the identity of the certificate holder.
Recent research, including a report from Gartner Inc., points to vulnerabilities in software-based certificates. Hackers can capture an SSL certificate's private key from a machine's memory in so-called "key-finding" attacks, he said.
Once a key has been compromised, attackers can post "spoof" Web sites that use the key to impersonate the legitimate certificate holder, or decrypt intercepted SSL traffic offline, according to Vaeth.
The new Hardware Protected SSL Certificate stores an X.509 encryption certificate inside an nCipher nForce or nShield hardware security module. Both nCipher products are certified using FIPS 140-2 (Federal Information Processing Standard), according to the companies.
In addition to providing better private key security, the hardware-based product removes the job of encryption and key management from the Web server and provides SSL acceleration to compensate for the extra processing demanded by encrypted SSL traffic, according to Vaeth.
From the user's standpoint, a new VeriSign seal will adorn sites using the hardware-protected certificate. When users click on the seal, information will be provided that indicates the private key associated with their SSL certificate was generated inside a FIPS 140-2 validated hardware security module, according to Kevin Trilli, director of product marketing at VeriSign.
VeriSign will also be raising the ceiling on its NetSure Warranty protection from US$100,000 to $500,000 for sites using the new Hardware Protected SSL Certificate, Trilli said.
The new product will address a growing need among online vendors and shoppers for more secure transactions, according to Vaeth.
"We've been seeing that the customer base wants to get compliant with the latest technology and prevent hacks. People are looking for solutions that make sense," he said.
VeriSign and nCipher are hoping that the new hardware protected certificate "raises the bar" on certificate security and popularizes the use of hardware-based encryption technology for generating certificates, Trilli said.
"Right now this is a niche market. We're trying to create awareness and move people to a better certificate model," Trilli said.
While large enterprises and governments are the main consumers of hardware-based encryption now, VeriSign and nCipher eventually hope to be able to extend the technology out to mid-sized enterprises and small- and medium businesses, Vaeth said.
The Hardware Protected SSL Certificate is being marketed jointly by VeriSign and nCipher, according to Trilli.
Customers can purchase the new certificates from VeriSign for US$995 beginning in May. For $4500, customers can purchase a hardware - software bundle from nCipher that includes a VeriSign voucher for the Hardware Protected SSL Certificate along with the nForce or nShield Hardware Security Module, he said.
Existing VeriSign certificate customers who "understand SSL" are the initial targets of the companies' sales efforts, though the product will be offered to new customers as well, Trilli said.