ECC (Elliptic Curve Cryptography) Encryption and SSL Certificate explained in details, learn the main difference between RSA, DSA and ECC Encryption SSL.
2. UNDERSTANDING ELLIPTIC CURVE CRYPTOGRAPHY
AND HOW IT RELATES TO SSL/TLS
• You may notice that a couple of the Symantec products we offer, namely the Symantec
Secure Site Pro line, advertise something called “ECC” or Elliptic Curve Cryptography. This
is a mathematical method that can be applied to SSL/TLS Encryption.
• ECC is actually not new, it’s been around for about a decade at this point, but given the fact
it’s yet to be widely adopted it remains a mystery to many people.
3. • ECC is incredibly complex, which is why we’ll avoid getting too granular in our discussion of
it at this point (that can be saved for future posts), instead we’re going to give you the main
points about ECC in case you’re interested in purchasing an SSL Certificate that makes use
of it.
4. WHAT EXACTLY IS ECC?
• There are a broad range of applications for Elliptic Curve Cryptography, when it comes to its
applications to SSL it can be used to create encryption keys, to provide digital signatures, and
more.
• With any SSL Certificate there are quite a few cryptographic functions taking place. Every
SSL Certificate has a key pair and a hash, and they all involve authentication and key
exchange, ECC can be used for any of these functions.
5. • So what does that all mean? Well, it means ECC can be the backbone of your SSL
Certificate in a number of ways. And while a layman likely wouldn’t know the
difference between an SSL Certificate that uses ECC and one that uses more
traditional methods, there is a significant difference in performance.
• And frankly, as the need for greater security grows and the current methods strain to
grow with it, that performance gap will only continue to grow, but we’ll talk more about
that later.
6. • Other methods that are currently used with SSL include RSA and DSA, you may have
seen these advertised in various SSL Certificate details as well. RSA is named after its
creators: Rivest, Shamir and Adleman. DSA is an acronym for Digital Security Algorithm
(it was developed by the United States government). Of the two, RSA is the more widely
used algorithm.
• We won’t spend too much time on the differences between these two except to say they
make calculations differently. In fact, all three make calculations differently. We’ll spare
you the mathematical details, but suffice it to say those differences have some pretty large
ramifications on the long-term viability of each.
7. POWERFUL PERFORMANCE
• Every day computers become more and more powerful. As you read this, in labs around the
world, scientists are tinkering with quantum computers that will one day make the lightning
fast performance of the computers we use currently seem absolutely pedestrian. That is to
say, the processing power of computers continues to increase every day.
• In order to stay ahead of those advancements, encryption technology needs to continue
advancing as well. Right now, we measure encryption strength in “bits of security” or just
bits. This refers to how much work a computer would need to do to break said encryption.
You probably see things like 2048-bit key and 256-bit encryption strength thrown around all
the time.
8. • In order to break encryption, a computer literally needs to guess, which means trying
millions of combinations of bits. The time this takes depends on the computer’s processing
power.
• To give you a sense of scale, given our current industry standards, it would likely take an
organization like the NSA, which has massive amounts of computing resources – over a
decade to break encryption. But, as we mentioned earlier, as computer processing power
continues to increase, the time it would potentially take to break encryption continues to
shorten.
9. SO HOW DOES THIS TIE IN TO ECC, RSA AND DSA?
• Well, how many “bits of security” these methods provide depends on a range of factors. And
it’s not actually a 1:1 type of situation. For instance, a 2048-bit RSA key doesn’t actually
provide 2048 “bits of security,” rather it provides only 112.
• Here’s where ECC shines. If you double the size of an RSA key to 4096, you’re not doubling
the number of “bits of security.” In fact, you’re actually only going to see about a 20% gain.
That means a more cumbersome key, which is going to hurt performance and not increase
the level of security that substantially.
10. • ECC on the other hand can achieve equivalent “bits of security” using much smaller keys.
And when we say much smaller, we’re talking like 90% smaller. This in turn means better
performance. It also means better scalability. As industry standards increase, RSA and DSA
keys will become larger and more unwieldy and ECC will start becoming more widely
adopted.
• Already, large sites – let’s call them mega-sites – like Facebook and Cloudflare are using
ECC because of the massive performance benefits.
• Granted, for a smaller site, you may not notice much of a difference. But again, it’s all about
scalability.
11. ADOPTING ECC
• As we mentioned, ECC is currently only in use by a small number of sites. For your average
company or organization, the performance difference is negligible. The SSL Handshake still
takes place in a matter of milliseconds even with RSA and DSA keys. Given the way humans
perceive time, a performance difference that deals in milliseconds – even if it is up to 100%
better – isn’t even noticeable.
• And to that end, recent data from Mozilla’s TLS Observatory says over 90% of SSL
Certificates in use today use RSA keys, while just 4% use ECC. RSA has pretty much been
king since SSL was invented.
12. • Because of this, server and client software has been slow to support ECC and many CAs
don’t even provide it as an option (as we said at the beginning of this article, even within our
sizeable product log, only a few high-end Symantec Certificates offer it).
• But, as the processing power of computers continues to advance and forces industry
standards to call for more secure keys and encryption strength, ECC is going to see
substantial growth in terms of its popularity. RSA and DSA will soon be pushed beyond their
reasonable limits and ECC is their logical successor.
• So why wait for the industry to tell you to use ECC? Invest in it now and stay ahead of the
curve. After all, ECC is the future. It’s just a matter of when you want to embrace it.
13. IMPORTANT RESOURCES
• Symantec SSL Certificates – The Next Evolution in Business Security
• Why EV SSL Certificates Are Perfect for Startup E-Commerce Companies
• HTTPS Encryption for iOS and Android – A Step Towards Cybersecurity Awareness
14. FOR MORE DETAILS ON ECC ENCRYPTION
Blog: cheapsslsecurity.com/blog
Facebook: CheapSSLSecurities
Twitter: SSLSecurity
Google Plus: +Cheapsslsecurity