Jai Prakash Sharma · Follow
Published in · 6 min read · Mar 9, 2023
--
Cryptography plays a significant role in society with today’s advanced development of technology and the nature it is data exchange. Two important factors should be considered in the progress:
- Speed and Performance
- Security
- Compatibility
Public Key Infrastructure (PKI) is the set of hardware, software, policies, and procedures that are needed to create, manage, distribute, use, store, and revoke digital certificates. PKI is also what binds keys with user identities using a Certificate Authority (CA). PKI uses a hybrid cryptosystem and benefits from using both types of encryption.
For example, in SSL communications, the server’s SSL Certificate contains an asymmetric public and private key pair. The session key that the server and the browser create during the SSL Handshake is symmetric. This is explained further in the diagram below.
Client Browser makes a request to the Responding Server
1. Responding Server sends a copy of its asymmetric public key.
2. Client Browser creates a symmetric session key and encrypts it with the server’s asymmetric public key. Then sends it to the server.
3. Responding Server decrypts the encrypted session key using its asymmetric private key to get the symmetric session key.
4. Responding Server and Client Browser now encrypt and decrypt all transmitted data with the symmetric session key. This allows for a secure channel because only the browser and the server know the symmetric session key, and the session key is only used for that session. If the browser was to connect to the same server the next day, a new session key would be created.
RSA (Rivest–Shamir–Adleman) algorithm and ECC (Elliptical Curve Cryptography) algorithm are protocols used for encryption or decryption in SSL/TLS certificates. ECC (Elliptic curve cryptography) has recently attracted much attention vs RSA (Rivest–Shamir–Adleman).
RSA Algorithm
RSA (Rivest–Shamir–Adleman) is the most widely adopted asymmetric cryptographic algorithm. RSA was invented by Ron Rivest, Adi Shamir, and Leonard Adleman in 1977. These three cryptographers used the prime factorization method to achieve the one-way encryption of a message. It’s extensively used in encrypting website data, emails, software, etc. RSA is the most commonly used algorithm for SSL/TLS certificates. It uses a public key to encrypt data and a private key to decrypt it. RSA is a secure and widely supported algorithm, and most SSL/TLS certificates issued today use RSA keys.
Digital Signature Algorithm
DSA (Digital Signature Algorithm): DSA is a less common or legacy algorithm for SSL/TLS certificates. It uses a public key to verify signatures and a private key to sign them. DSA is generally considered less secure than RSA, and it’s not supported by some older browsers (No one uses it nowadays).
Elliptical Curve Cryptography
ECC (elliptical curve cryptography) came in 1985 when two mathematicians named Neal Koblitz and Victor S. Miller suggested the use of ECC. However, ECC algorithms entered the public domain somewhere after 2005. The ECC algorithm works on the elliptic curve discrete logarithm problem (ECDLP). This cryptography method is harder to crack since there is no known solution to the mathematical problem given by the equation producing the elliptical curve in a graph. This complexity makes ECC more secure compared to RSA. ECC is a newer and more advanced algorithm that uses elliptic curves to create public and private keys. ECC is considered more secure than RSA and DSA and can provide faster encryption and better performance on mobile devices.
Advantages / Feature Comparison
The primary difference between RSA vs ECC certificates is in the encryption strength. As we see, RSA requires much larger key lengths compared to ECC.
For example — If we want to implement 256-bit encryption, we’ll have to use an RSA key length of 15360 bits. This is not practical since it’ll take much more computational power by default.
The speed and security offered by an ECC certificate are higher than an RSA certificate for Public Key Infrastructure (PKI). If you’re thinking of purchasing an SSL certificate, we’d suggest you go with a certificate with the ECC option as it’s always better to stay a step ahead of the criminals.
The ECC is probably better for most purposes, but not for everything.
Disadvantages of RSA & ECC
The benefit of ECC compared to RSA is that it provides the same security but with smaller bit sizes, thus less processing overhead. The encryption and decryption algorithm which is utilized to encrypt and decrypt the file gives the files more and more security and the most common one is the elliptic curve algorithm, which is used to develop schemes such as key exchange and digital signature.
The small size of the keys makes ECC an ideal choice for devices with limited storage or data processing resources, which are increasingly common in the field of IoT and all the newer devices coming. In the context of server-side technologies, the keys’ small size can speed up the SSL handshake, which results in extremely fast page loading and greater security.
Caution — If you or your customers’ still using legacy devices or browsers or web servers or operating systems. For example, while OpenSSL added support for ECC in 0.9.8, not all servers and operating systems leveraging OpenSSL were compiled with this support enabled. CentOS enabled ECC in OpenSSL starting with version 6.5. Another example is Ubuntu 12.04 LTS-enabled ECC support in Apache 2.2.22.
Today, ECC certificates are issued by most of the known established Certificate Authorities.
Generation of Elliptical Curve CSRs requires OpenSSL 1. x or later, and is as follows:
1). Create a configuration file Elliptic Curve Parameters.
$ openssl ecparam -name prime256v1 -out ecparams.pem
2). Create a CSR:
$ openssl req -new -sha256 -nodes -newkey ec:ecparams.pem -keyout my_ecc.key -out my_ecc.csr
Chrome utilizes the cryptographic libraries of the operating system on which it is installed. As a result, Chrome 1.0 can process ECC certificates on Windows Vista+ but not on Windows XP.
Internet Explorer utilizes Windows system libraries for cryptographic functions. As a result, Internet Explorer 7 on Windows XP will not support ECC, but will on Windows Vista+ / Server 2008+.
Mozilla Firefox utilizes the NSS (Network Security Services) libraries to handle cryptographic functions like SSL, TLS, and certificate validation independent of the operating system’s cryptographic libraries. This means Firefox 2.0+ will handle ECC certificates even on operating systems that do not natively support ECC such as Windows XP.
Java 5 & 6 support ECC on platforms with native ECC PKCS#11 implementations. Java 7+ contains its own native ECC provider.
Conclusion
We certainly can say that ECC brought an improvement in modern cryptography which underlies SSL certificates. It has increased performance, attack stability and viable alternative to the existing crypto algorithms are among a few obvious benefits. When choosing an algorithm, it’s important to consider factors such as security, compatibility, and performance. In general, RSA is a safe choice for most applications, but ECC may be a better option for high-traffic websites or mobile applications where speed, performance & security are critical. It’s also a good idea to consult with a security expert or SSL/TLS provider to ensure that you’re choosing the best algorithm for your specific needs.
The article also recommends sources:
Cryptography Next Generation
Bouncy Castle — ECC Key Pair Generation
JDK 5 — ECC Support
NGINX Changelog
RHEL 6.5 Release Notes
Tomcat Release Notes
Dovecot News 2.2.5 Released
IBM PM80235
Own wisdom & experience
