Start your clocks<\/p>\n
Elliptic Curve Cryptography<\/a><\/strong> \u2013 abbreviated as ECC \u2013 is a mathematical method that can be used in SSL. It\u2019s been around for quite a while \u2013 over 10 years already \u2013 but remains a mystery to most people. That\u2019s because ECC is incredibly complex and remained unsupported by most client and server software, until recently.<\/p>\n I won\u2019t be getting into the math behind ECC or what exactly it does to encrypt\u2014that\u2019s another post for another time. Instead I will be \u00a0giving a very general introduction to ECC so you can have a good sense of what it is and why it\u2019s important.<\/p>\n Don\u2019t worry, this will only take a few minutes.<\/p>\n ECC is a mathematical method that can be used for all sorts of stuff \u2013 creating encryption keys, providing secure digital signatures, and more. When it comes to ECC\u2019s use with SSL certificates \u2013 it\u2019s a very flexible tool.<\/p>\n There are quite a few cryptographic functions going on with SSL Certificates and the SSL protocol: every SSL certificate has a \u201ckey pair\u201d and a \u201chash,\u201d and every SSL connection involves authentication and key exchange. ECC can be used for any (or all) of these four functions.<\/p>\n What does that mean, in plain language? It means that ECC can be the cryptographic \u201cunderpinning\u201d of your SSL certificate in a variety of ways. While you would not necessarily know the difference between an SSL certificate using ECC compared to a certificate using another method, using ECC often translates to significantly improved performance.<\/p>\n<\/span><\/span>\n The other methods that can be used as your cryptographic \u201cunderpinning\u201d are RSA and DSA (RSA is named after its inventors: Rivest, Shamir, and Adleman. DSA stands for \u201cDigital Security Algorithm\u201d and was developed by and for the US government). You may have heard of RSA before; It is by far the most used method and is currently considered the industry standard.<\/p>\n The difference between these methods is largely technical (the ways in which they perform calculations). Truly understanding HOW these methods work is mostly reserved to cryptographers and mathematicians. But anyone with a basic familiarity with computers can understand the benefits to each.<\/p>\n As computers become more powerful, encryption technology needs to continue to advance in order to keep data secure. \u201cBits of security\u201d is a measure of security strength based on how much work a computer needs to do to break the encryption. Breaking encryption refers to a computer\u2019s ability to figure out an encryption key and decode the messages. Computers do this by literally guessing and trying millions of possible combinations of bits. How long this takes depends on how much processing power you dedicate to breaking a key. For an everyday desktop computer, breaking an industry-standard key would take longer than the number of years that the Earth has existed.\u00a0 For an organization like the NSA that has a huge amount of resources, it would still take more than a decade.[1]<\/a><\/p>\n How many \u201cbits of security\u201d an algorithm or cryptosystem provides depends on a lot of factors \u2013 and it\u2019s not a 1:1 situation. The most popular type of key in use with SSL certificates are 2048-bit RSA keys. While those keys are 2048-bits they only provide 112 \u201cbits of security\u201d.<\/p>\n If you double an RSA key in size to you do not double its strength. In fact, a 100% increase in key size isn\u2019t even giving you a 20% increase in strength.[2]<\/a> That\u2019s quite inefficient.<\/p>\n One of the attractive features of ECC is that it can achieve equivalent \u201cbits of security\u201d to RSA\/DSA with much smaller keys \u2013 we are talking 90% smaller keys.[3]<\/a><\/p>\n Smaller keys translate to improved performance. Keys are used in the \u201cSSL Handshake\u201d \u2013 which is the process that establishes an SSL connection. The handshake must occur before the user\u2019s browser can display a website (assuming that site is using SSL), so you want that handshake to happen as quickly as possible.<\/p>\n As we mentioned above, RSA does not scale well. And as RSA keys get larger, the performance gap with smaller ECC keys grows. Seriously \u2013 once RSA keys reach 3072-bits and larger, ECC performs more than 100% faster.<\/p>\n Depending on how much security strength you need to provide, or how complex or performant your website\/service needs to be, you might see performance benefits in using ECC today. Many larger sites \u2013 including Facebook and Cloudflare \u2013 are already using ECC because of the performance benefits that come at their scale. But you don\u2019t need to be a digital behemoth to benefit from ECC. Anyone can see savings of a few hundred milliseconds (or more) with ECC technology.<\/p>\n But despite the benefits of ECC, it is currently only used by a small number of sites.<\/p>\n Recent data shows RSA is still the most widely used by a wide margin \u2013more than 90% of SSL certificates use RSA keys (only 4% of certificates used ECC keys).[4]<\/a> RSA has been the go-to cryptosystem since the inception of SSL, making it the most widely-supported option out there.<\/p>\n Most sites aren\u2019t using ECC yet because server and client software has been slow to support it, and not every Certificate Authority (CA) is currently capable of providing SSL certificates that use ECC keys.<\/p>\n But don\u2019t let that deter you! ECC is gaining popularity and support every day. Getting started with ECC can be as easy as updating your server configuration (no need to spend any money or get a new certificate). If that is something that interests you, start by looking to see if your server OS supports \u201cECDHE\u201d or \u201cECDSA\u201d (and if so, see Mozilla\u2019s TLS configuration generator<\/a> to get configuration settings that use ECC).<\/p>\n The current industry standard is to use a 2048-bit RSA key. These keys will probably be considered secure for at least 10 more years.[5]<\/a> But when it can be demonstrated that those keys can be easily broken, the SSL industry will need to pick a new standard. As RSA performance degrades with larger key sizes, we may see ECC take its place sooner rather than later.<\/p>\n [1]<\/a> \u201cTable 1.2. Security levels and equivalent strength in bits, adapted from ECRYPT2 (2012)\u201d as it appears in Bulletproof SSL and TLS, pg. 17.<\/p>\n [2]<\/a> A 4096-bit RSA key only yields about 135 bits of security (estimated from ECRYPT2 Recommendations).<\/p>\n [3]<\/a> \u201cNST Special Publication 800-57: Recommendation for Key Management \u2013 Part 1: General, Revision 3\u201d (as it appears in Bulletproof SSL and TLS, p.18)<\/p>\n [4]<\/a> Recent data from Mozilla\u2019s TLS Observatory. Of 1,585,701 observed certificates, 1,524,233 of them used 2048-bit or larger RSA keys. 60,486 used ECDSA keys. Source: https:\/\/twitter.com\/jvehent\/status\/729048439686877184<\/a><\/p>\n [5]<\/a> https:\/\/www.yubico.com\/2015\/02\/big-debate-2048-4096-yubicos-stand\/<\/a> and \u201cTable 1.2. Security levels and equivalent strength in bits, adapted from ECRYPT2 (2012)\u201d as it appears in Bulletproof SSL and TLS, pg. 17.<\/p>\n","protected":false},"excerpt":{"rendered":" A brief look at what ECC is, what it does, and why it\u2019s the future Start your clocks Elliptic Curve Cryptography \u2013 abbreviated as ECC \u2013 is a mathematical method…<\/p>\n","protected":false},"author":2,"featured_media":2857,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[130],"tags":[137,138,139],"class_list":["post-2770","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-everything-encryption","tag-ecc","tag-eliptic-curve-cryptography","tag-symantec","post-with-tags"],"views":29336,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2016\/07\/iStock_48919886_SMALL.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/2770","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=2770"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/2770\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/2857"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=2770"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=2770"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=2770"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}What is ECC?<\/strong><\/h2>\n
Speedy and Secure<\/strong><\/h2>\n
Using ECC<\/strong><\/h2>\n