A new SSL (Secure Sockets Layer) certificate - the joint product of VeriSign and nCipher - will provide stronger protection for online transactions by storing private key information in a hardware security module, the two companies claimed.
The Hardware Protected SSL Certificate combines VeriSign's certificate technology with nCipher's cryptographic hardware.
Using public key infrastructure (PKI) technology, a public and private encryption key are created simultaneously using the same algorithm by a certificate authority (CA) such as VeriSign.
Messages encrypted by third parties using the public key can be decrypted by the certificate holder using the private key, which is never shared or transmitted over the internet.
Private keys can also be used to authenticate an organisation doing business online to those conducting transactions with it. Companies can use their private key to encrypt a digital certificate. Recipients then use the company's public key to decrypt it, verifying the identity of the certificate holder.
Recent research, including a report from Gartner., pointed to vulnerabilities in software-based certificates. Hackers can capture an SSL certificate's private key from a machine's memory in so-called "key-finding" attacks.
Once a key has been compromised, attackers can post "spoof" websites that use the key to impersonate the legitimate certificate holder, or decrypt intercepted SSL traffic offline.
The new Hardware Protected SSL Certificate stores an X.509 encryption certificate inside an nCipher nForce or nShield hardware security module. Both nCipher products are certified using FIPS 140-2 (Federal Information Processing Standard).
In addition to providing better private key security, the hardware-based product removes the job of encryption and key management from the web server and provides SSL acceleration to compensate for the extra processing demanded by encrypted SSL traffic.
A new VeriSign seal will adorn sites using the hardware-protected certificate. When users click on the seal, information will be provided that indicates the private key associated with their SSL certificate was generated inside a FIPS 140-2 validated hardware security module.
VeriSign will also raise the ceiling on its NetSure Warranty protection from $100,000 to $500,000 for sites using the new Hardware Protected SSL Certificate.
Customers can purchase the new certificates from VeriSign for $995 from May. For $4,500, customers can purchase a hardware - software bundle from nCipher that includes a VeriSign voucher for the Hardware Protected SSL Certificate along with the nForce or nShield Hardware Security Module,.
Existing VeriSign certificate customers who "understand SSL" are the initial targets of the companies' sales efforts, though the product will be offered to new customers as well.