Public key infrastructure (PKI) relies on two different cryptographic keys, a public key and a private key, to encrypt and decrypt data. These complex algorithms use mathematical formulas to generate digital certificates with unique digital identities to secure information.
Elliptic Curve Cryptography (ECC) is one method of generating these key pairs that has proven to be an effective way to secure data. The National Institute of Standards and Technology (NIST) has endorsed ECC as a recommended algorithm for secure key exchange with standards for digital signatures.
ECC keys have a shorter key length and require less power, which is significant for use in embedded systems, such as mobile or IoT devices, and for faster load times.
What Is Elliptic Curve Cryptography?
The name says it all. Elliptic Curve Cryptography (ECC) is a type of cryptography using public and private key encryption based on elliptic curve theory. This creates smaller, but more efficient encryption keys for security.
ECC cryptography is growing in popularity relative to the Rivest-Shamir-Adelman (RSA) public-key encryption methodology used to secure data in transit. While the RSA algorithm provides encryption of email or data using prime number factoring, ECC cryptography bases public keys on the looping lines on intersecting axis points on a graph.
The lines are symmetrical across the x-axis and non-vertical lines intersect the curve in three or fewer locations. Elliptic curve cryptography explained as a simplified formula would look like this:
Elliptic Curve Equation
Y² = x³ + ax + b
Pros and Cons of This Algorithm
One of the reasons for the growing popularity of ECC cryptography is that the keys themselves are considerably smaller in size for the same effective encryption strength. For example, an ECC cryptography key of 256 bits would have the same level of security as an RSA key of 3072-bit size. There’s also not a direct line between the sizes and security. For example, an ECC key of 521 bits would require an RSA key length of 15360-bits to provide the same level of encryption.
ECC-based systems provide a higher security level in comparison to other methods and have been proven to withstand levels of quantum computing, although it is expected to break ECC at some point in the future.
The smaller key size makes key generation and signing much quicker to use, reducing any latency introduced into the process. This is also important for mobile devices or IoT devices that have less storage space and less computing power to solve elliptic curve algorithms.
ECC also allows faster SSL/TLS handshakes to exchange and validate digital certificates for a web page. Because of the smaller size, less data needs to move back and forth, resulting in faster load times for websites. ECC certificates also use less memory in general, which can help accelerate network performance. For high-traffic sites, this can be a significant advantage and provide better scalability because of the lower threshold for compute power on servers — especially when you consider the billions of endpoints globally.
For example, an RSA certificate generally has a response time of 150 milliseconds for 450 requests, while ECC can accommodate the same number of requests in half the time.
There are some downsides to using Elliptic Curve Cryptography, however. There’s a higher learning curve for adoption and it’s more complex to integrate. This can result in a potentially higher error rate during implementation, which could impact availability or security. That’s essentially what happened to Sony when it mishandled its ECDSA (Elliptic Curve Digital Signature Algorithm) to sign software on its PlayStation gaming system. Developers used static parameters rather than random keys, allowing hackers to solve the algorithm and decipher private keys.
One potential worry is side-channel attacks (SCA). Side-channel attacks extract secret keys from chips or systems by monitoring and making sense of information that is “leaked” from a processor. These side channel attacks spy on things like the chip’s power consumption or temperature changes, the timing of processor events, or even the sound it makes. Based on this information, a sophisticated side channel attack can reduce the potential key space and make brute force attacks feasible.Countermeasures do exist to these attacks, which more or less involve introducing some randomness or other cover to obscure the information carried by these side channels.
Another potential attack against ECC is a twist-security, or fault, attack. In this scenario an attacker provides a mathematically invalid public key, one that does not lie on any ECC curve. This can start a process in which the attacker is able to reverse engineer the target’s private key from the connection’s shared key. These attacks can also be mitigated by paying close attention to curve and parameter validation.
Using This Method
Elliptic Curve Cryptography can help secure websites using smaller, faster keys to speed up performance and reduce latency without sacrificing security. How you implement and manage your ECC algorithms, however, will play a significant role in protecting your digital keys.
Sectigo provides the most comprehensive suite of SSL certificates and cybersecurity products to keep your business and your customer safe. We also offer a Certificate Lifecycle Management platform that securely manages digital identities for both public and private certificates for any device, user, or application.
Learn more about Sectigo and how we can help protect your website from security threats.