In spite of that the first paper about the RSA algorithm has been published in 1977, thus it is almost fifty years old, a large percentage of key pairs related to certificates still relies on the algorithm. In our previous post, some aspects of RSA were mentioned namely that how safe is the algortihm, and that what do the corresponding sunset dates mean, however there was no mention of practical considerations for end users.
Cryptographic keys used in public key infrastructures may greatly differ from each other regarding their management and security needs; this usually depends on for how long we want to use them. This validity period may be a few minutes (e.g., for so-called short-term certificates) but it may even be fifty years (in case of long-term preservation/archiving). In the first example, out key is almost for one use, because its validity is so short that it cannot even be abused. However, if we wanted to preserve a file for a long time, it is important that it would be protected by a cryptographic algorithm that is secure for the whole preservation period (cannot be broken). Thus, in these cases, it is necessary to re-timestamp them, which means regularly applying a time stamp with a newer time stamp that uses an up-to-date algorithm, which protects the entire file.
About what qualifies as an up-to-date algorithm, specification ETSI TS 119 312 (AlgoPaper) makes provisions in Europe. According to the current version of the AlgoPaper, the most widely used RSA signature suite, sha256RSA with a 2048-bit key size is only supported until the end of 2025 (and according to our background information, it is not likely that this deadline will be postponed). AlgoPaper however does not specify a sunset date regarding ECC (Elliptic Curve Cryptography)-based solutions, and because more and more implementations and users have ECC keys, it is likely that it will replace RSA in the world of e-signatures.
The sunset date of sha256RSA means that these RSA-2048-protected files shall be re-timestamped with a stronger (typically ECC) time stamp on 31st December 2025 at the latest. It is also worth to apply more up-to-date (typically ECC) time stamps on our signatures even before the deadline, and it is worth switching to more up-to-date (typically ECC) signature algorithms.
If someone misses the change-over, they have to prepare having a lot of trouble with their preserved files, especially if they have to provide the validity of their electronically signed documents.
Luckily, as an end user, the problems with algorithms can easily be avoided. All we have to do is:
If we take care of the above, we will likely have no problems regarding algorithms.
It is important to note that users of Microsec’s long-term (11-year) ECC time stamps only need to re-timestamp in 2033, while with RSA-2048 solutions, the task can only be procrastinated at the latest until 2025.
© 2024 Microsec Ltd. | Company registration number: 01-10-047218 | Tax number: 23584497-2-41