Key highlights of these changes are:
• support for long cryptographic keys;
• implementation of elliptic curve cryptography;
• security by default.
Support for Long Cryptographic Keys
Many decision-makers look several years ahead when evaluating security considerations of interoperability solutions. A simple example of this lies in accounting documents where it is quite common to require evidentiary value of digitally signed data for 7 or more years. UXP now supports long cryptographic keys that according to researchers in NIST serve security software safely till the year 2031 and beyond [1].
The exponential growth of computing power makes it easier to break the security of the weak cryptographic keys. Longer keys add more security and make the system more future proof from the security perspective. Thus, longer keys make it considerably harder for malicious actors to potentially compromise the encrypted documents such as the accounting records. Thanks to this improvement, UXP operators have one concern less to worry about for at least a decade.
Elliptic Curve Cryptography
Security intensive solutions can be quite demanding for hardware. In order to save on customer hardware cost, we have implemented elliptic curve cryptography that improves UXP security performance compared to older algorithms (such as RSA) without affecting security itself. Elliptic curve cryptography is a relatively new branch of cryptography that helps to achieve the same level of security with approximately 10 times shorter keys compared to the widely used RSA algorithm. Shorter keys mean faster encryption with less computing power. All in all, this translates to lower hardware costs for UXP operators.
Security by Default
Starting from the 1.13 release, we deploy UXP with more stringent default security settings. This best practice helps to keep customers on the safe side if the configuration of some UXP security settings is missed. For example, HTTPS protocol is used by default everywhere and default key lengths have been increased.
More technically speaking UXP Core 1.13 supports now longer than 2048-bit keys for the RSA algorithm. The length of the keys depends on the solution requirements and is theoretically unlimited, however, in practice, there are performance considerations. With the support of the Elliptic Curve Digital Signature Algorithm (ECDSA) and selection of elliptic curves P-256, P-384, P-521, we have considerably enhanced the performance of UXP PKI. UXP supports now TLS version 1.3 in addition to TLS1.2, however, TLS1.1. is no longer available.
Check out for more details from the UXP Core 1.13 release notes!
[1] "Recommendation for Key Management" https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf, p. 59.