Untilrecently, there were only two algorithms used in digital certificates. Thefirst encryption algorithm is RSA, and the second is the hashing algorithmSHA-1. At the moment, these algorithms are considered unstable, so newsolutions have come to replace them.
In January2011, trusted Certification Authorities adopted the NIST guidelines as astandard for issuing new RSA certificates with keys at least 2,048 bits long.However, the standards are changing, and today the requirements for thecomplexity of algorithms are gradually increasing. For example, today, the RSAkey size for Code Signing certificates has been increased to 3,072 bits.
What is ECC?
ECC(Elliptic Curve Cryptography) – a method of public key cryptography based onthe use of elliptic curves over finite fields. The most important difference ofECC compared to RSA is the key size in relation to the cryptographicresistance. ECC provides the same cryptographic strength as the RSA system, butwith much smaller keys. For example, a 256-bit ECC key is the same as 3,072-bitRSA key (which are 50% longer than the 2,048-bit keys used for SSL certificatestoday).
Finally,the most secure symmetric algorithms used in TLS – for example, AES – use aminimum of 128-bit keys, so that the transition to asymmetric keys seems veryreasonable.
Why youshould move to ECC?
The smallsize of the keys makes ECC an ideal choice for devices with limited storage ordata processing resources, which are increasingly common in the field ofIoT. In the context of server-sidetechnologies, the keys’ small size can speed up the SSL handshake, whichresults in extremely fast page loading and greater security.
Today, ECCcertificates are issued by DigiCert (Symantec) and Sectigo (Comodo).
Note:RapidSSL cannot be ordered with ECDSA.
If you needan ECC certificate, you must generate a special request.
ForSectigo, generation of Elliptical Curve CSRs requires OpenSSL 1.x or later, andis as follows:
1). Createa configuration file Elliptic Curve Parameters.
$ openssl ecparam -name prime256v1 -outecparams.pem
2). Createa CSR:
$ openssl req -new -sha256 -nodes -newkeyec:ecparams.pem -keyout my_ecc.key -out my_ecc.csr
Note:Issuing ECC certificates is only possible if you have not started thevalidation process. So be sure to inform us in advance by email that yourequire an ECC certificate!
What is ECDSA?
Thealgorithm, called ECDSA (Elliptic Curve Digital Signature Algorithm), was firstproposed by Scott Vanstone in 1992. Signatures based on the algorithm of ECS,the ancestor of ECDSA, have several important advantages over RSA-algorithms:they are smaller in size and are created much faster. Verification based on ECCalgorithm is high-speed, which led to widespread distribution of ECDSAcertificates.
Advantages of using ECDSA to RSA
Using ECDSAfor digital signature carries a number of important advantages, such as:
- a high level of security;
- no problems with application performance;
- quick process of signing and verification (40% faster than RSA);
- execution of the growing application security requirements;
- support of government standards for the protection of information;
- compliance with the modern requirements of industry.
Certificateswith ECDSA can reduce the total amount of data to be authenticated, resultingin significant cost savings associated with date storage.
Today,ECDSA certificates are issued by DigiCert (Symantec) and Sectigo (Comodo).
Note:RapidSSL cannot be ordered with ECDSA.
ECPVSalgorithm – a highly specialised alternative to ECDSA
There isalso another alternative to ECDSA – ECPVS algorithm (Elliptic Curve PintsovVanstone Signature). This algorithm is unique in that it supports therestoration of certain parts of the sign message. ECPVS algorithm is includedin many standards, such as I EEE P1363a, ANSI X9.92 and ISO 9796-3. It is usedin different postal services, as well as to verify the signature of cheques andshort messages holding 1 byte (for example, a message with the answer"yes/no", etc.).
Uponrequest, we can always issue any required digital certificates for you.