As a fine example of proactive security, Google has announced that it will be upgrading its SSL certificates to 2048-bit keys by the end of 2013.
“We will begin switching to the new 2048-bit certificates on August 1st, to ensure adequate time for a careful rollout before the end of the year,” shared in a blog post Stephen McHenry, Director of Information Security Engineering at Google. “We’re also going to change the root certificate that signs all of our SSL certificates because it has a 1024-bit key.”
It’s interesting to note that in 2005, the National Institute of Standards and Technology (NIST) expected that digital signature algorithms using 1024-bit keys, would either be broken or be in serious danger of being broken by 2010, but that didn’t happen. In fact, adjusted predictions now point out to 2017 or 2018 as the year when that is expected to occur.
Nevertheless, NIST has decreed that “after December 31, 2013, key lengths providing less than 112 bits of security strength shall not be used to generate digital signatures,” and that means 1024-bit keys as well.
2048-bit key transport schemes have a security strength of 112 bits, and Google is to be praised for taking NIST’s recommendations into consideration and executing the change in due time.
Google has pointed out some of the problems that the change may produce, and has offered a FAQ addressing certificate changes, as well as instructions for app developers on how to adapt them to certificate changes.