SearchSupportFree trial
Contact us
Podcast

Root Causes 478: Should We All Switch from RSA to ECC?

Hosted by
Tim Callan
Chief Compliance Officer
Original broadcast date
March 17, 2025

RSA is under attack. Even without the quantum threat, we face the possibility of smart new exploits reducing the viable RSA key space and rendering it unsafe. In this episode we discuss the merits of choosing ECC over RSA as soon as today.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanSo you proposed what I think is a provocative topic that you and I haven't compared notes on at all, so we'll see how this is going to go. We're going to surprise each other with our thoughts. But your question essentially was, should we, should all of us, be migrating away from RSA to ECC, basically starting now. Did I get that right?
Jason SorokoJason SorokoYou got it exactly right, Tim. Part of what prompted this - and this is a question we've asked ourselves internally for a while. Let me tell you what is prompting it, and then we'll get right into the meat of the matter. We recently had Michele Mosca. Because one of the questions we had asked him, Tim, was, never mind the risk of quantum computers to encryption, RSA and ECC, what about today's classical computers? What is the risk to RSA and ECC? And you can go back to that podcast and listen to him say that there was at least five times more risk right now with RSA over ECC.
Tim CallanTim CallanThis is, to be clear, this is that we defeat RSA using methods that do not require a quantum computer. That just smart people at whiteboards, as I like to put it, come up with new attacks, which is happening all the time, and figure out a way to basically render RSA functionally insecure. RSA and ECC both have that risk. Michele’s assessment, as you said, is the risk with RSA is 5x that of the risk with ECC. So your point being, Jason, that why don't we buy ourselves a little bit of insurance right now and migrate and just start migrating from RSA to ECC? Is that right?
Jason SorokoJason SorokoThat is 100% correct, Tim. So for those of you who are curious, these comments by Michele Mosca were buried in the episode of Root Causes Episode 460. So check that out, please. So we have said actually multiple times on this podcast, well before that podcast that was ever aired, what happens if we wake up tomorrow morning and RSA is deprecated because of some kind of just better math against RSA.
Tim CallanTim CallanThere have been people who have claimed to do that a few times in the last few years. Now, those claims didn't pan out, but it shows the credibility of that viewpoint that when these claims came, the first instinct from researchers and tech journalists was to scrutinize it and say, okay, well, is that true? Because it seems to a lot of people like it's credible that sooner or later this could happen, and it really would be true.
Jason SorokoJason SorokoI, Tim, very recently, was at a security conference, a lot of CISOs in the room. I was asked a really good question. Hey, can we just double the bit size of our RSA? That's what we used to do. Let's answer that question. RSA, as a cryptographic algorithm, is going to be deprecated in the 2030 timeframe by NIST. That's been announced.

ECC as well. Same timeframe. But to answer the question - this is the way I answered it to the few people who asked the question, was it is actually at the point where it really doesn't matter what you do now in terms of the key sizes. So I would say the best thing to start thinking between now and 2030 when all the classic algorithms are deprecated, RSA and ECC, you really should start to think yourself, if I'm a consumer of a publicly trusted certificate, or if I am setting the certificate profile of a private Certificate Authority - those are the two cases we're really talking about here. In both of those cases, if you're given the option of RSA or ECC as a cryptographic algorithm, me personally, if my systems work with ECC, I will choose elliptic curve cryptography as my algorithm over RSA. It's because of exactly what we just talked about, not the least of which is the statement by Michele Mosca, which we should all take very seriously.

Then the wider question, Tim, and I'll end it with this. I think this is the question we're asking on this podcast is, as a CA industry, and especially the company we work for directly, Sectigo, should we start to consider both promoting ECC over RSA, and should we start declaring RSA like, well, you can still get it issued. It still works. It's probably still secure, but there's more risk associated with it, and we fully recognize the fact that there's a lot of systems that probably are hard coded to work only with RSA at this point.

So that's a consideration. But on the other hand, there's a lot of you who are running modern web servers, for example, that can run either. If you were given the choice, you should probably run ECC. That's just a thought, Tim.
Tim CallanTim CallanI mean, I think you make a good point is, which is to say that moving 100% to ECC is going to prove not to be practical, just because there will be legacy systems or systems that only support the one. Even though it seems ridiculous, we know it's going to be. Some of that is because RSA is just so ubiquitous. It's just a ground assumption that's built into entire computing platforms. So then I guess the follow-on question that would come out of that is, is there a disadvantage? Maybe the answer is absolutely not. Is there a disadvantage to have a mix of cryptography? If I can't ever entirely get off RSA and I'm going to wind up with some RSA and some ECC together in a hodgepodge, is there a downside to that that is worth thinking about, or is it perfectly fine and it's absolutely irrelevant and don't you worry a pretty little head about it?
Jason SorokoJason SorokoIntuition tells me the answer to that is no, but I would like an answer better than intuition, and therefore I think that's why we're not making this a pronouncement episode, Tim. This is a let's think about this all together episode.
Tim CallanTim CallanLike it'd be a shame if you deployed a bunch of certs across a giant cluster, and then some stuff started gagging because the other side couldn't handle the ECC. But then you'd figure that out and you'd fix it.
Jason SorokoJason SorokoThe worst I saw way back in the day was when ECC was still in its infancy of usage and issuance. Issuance platforms weren't very good at issuing it at the very beginning, but that quickly got solved. In fact, ECC became, for the most part, even a little quicker to issue than RSA. So that got solved. That's the only problem I've ever seen with that.
Tim CallanTim CallanSo then riddle me this, Jay, and I think I know the answer, but I'm going to ask you anyway. If that's the case, if ECC is smaller, ECC is more performative, ECC is arguably more secure, why is it that the dominant algorithm in use is RSA?
Jason SorokoJason SorokoBy dominant, I think the latest numbers that I saw, which are getting a little old now, I think it's 2021 when this study was done, but I believe RSA is still at least over 60% of the issued public certificates. We could probably tighten that up and get the exact number, but I would say, Tim, answer the question like this. If the thinking is, what happens if RSA is deprecated tomorrow morning, you're going to be awfully happy if you know for a fact you're running ECC with the majority or all of your systems. That's the simple argument. Think of it like really, really cheap insurance against potential attacks and the greater attacks against RSA.
Tim CallanTim CallanSo I have a hypothesis about why RSA is dominant, and that is habit.
Jason SorokoJason SorokoNo, that's what it is, Tim. That was your question, and it's 100%. What's my default? Hey, I've heard the term RSA. I'm just gonna use it. Nobody ever got fired for using RSA.
Tim CallanTim CallanEverybody’s been saying RSA from the time that I was a little kid. Yes, we just, we all know we use RSA just the way we know that we breathe air. Exactly. There's this inability to question.

So I heard an interesting story just yesterday. Couple fish are swimming along, and couple young fish are swimming along, and an older, wiser fish is coming the other direction. The older, wiser fish says, hey, kids, how's the water? They say, fine, and they swim away. When they're past the older, wiser fish, one of the fish says, the other one, he goes, what's water. I think that's the situation. We don't even know we're assuming it, because it's just so basic. It's like air. It's like fish in water, and nobody even thinks about it. Nobody even questions it.
Jason SorokoJason SorokoI think that's a perfect analogy, Tim. It is literally so ubiquitous that it is like water to fish. There's no question.
Tim CallanTim CallanAnd so, that's why. So I don't know. So I guess I'll just, in the interest of trying to pick this apart, the only other thing I can come up with is, is it worth the changeover cost? So you say, okay, I'm mitigating a certain amount of risk, and I like mitigating risk, but there are going to be costs in changing over. There will be opportunity cost. There might be money cost. There certainly will be work, and there might be risk. There might be cost that the changeover itself causes problems and outages. So then I say, okay, when I put those two things on the scales, is it possible that the scale still tips in favor of RSA? What do you think of that?
Jason SorokoJason SorokoTim, I can break this down. I think I can break this down. Where you should land on continuing with RSA is probably for ensconced back office, private Certificate Authority systems. Systems that have been running for years where it would cost money to evaluate them and change them, might involve professional services and certainly somebody's time. Valuable time. So where I think you should land on ECC is obviously, any new private CA systems.

Number one, simply said. Then I think we can talk about public trust and break that down as well. So for people who don't care at all. Don't even know what RSA and ECC is. Here's one question. Question number one, should CAs start to issue ECC by default? Period. Out of the roots. Like that's just a question to be asked. Then number two, for those of you who are large customers, who really care about the certificate profile and the fact that you can get different kinds of certificates from CAs. Those of you who know that you've been having RSA issued and you don't have anything hard coded against it, there's probably not a lot of cost for you to make a telephone call to your CA and say, hey, I've got this contract with you where my certs come out of a certain root. Can I have them out of an ECC root instead going forward? And that's not an expensive phone call. So I think the scenarios where we should land on ECC are probably net new CA systems, CAs just in default mode what are we issuing to just the general public and then for those of us who have very specific contracts that name a cryptographic algorithm in their profiles, maybe those people need to be educated on maybe switch over to ECC, because hopefully, for most of you, it's not that be big of a deal.
Tim CallanTim CallanAnd another point probably worth considering is whatever changing switching costs you do have in terms of time and, potential for technical problems and whatnot, those are one offs. You do that, now you're running on the new algorithm, and now, as your new certs come, you just get new certs with the new algorithm, and you don't have to pay that price tag again and again and again. So that's valid too. You need to think about this as a one-time switching cost in terms of effort, risk, etc., and then it's behind you.
Tim CallanTim CallanTim, I only have one more thought, and that is this all falls under cryptographic agility. I realize people, most people don't think about cryptographic agility as being the classic algorithms, but it does. Most people think about it as well switching to post-quantum cryptography algorithms, when in reality, switching from RSA to ECC is a form of cryptographic agility. So this is a thought for all of you - if you find systems or you have an inability to switch from RSA to ECC, you have a serious, serious cryptographic agility problem. If just switching to ECC is going to be hard, imagine how hard it is going to be switching to PQC algorithm.
Jason SorokoJason SorokoTim, I only have one more thought, and that is this all falls under cryptographic agility. I realize people, most people don't think about cryptographic agility as being the classic algorithms, but it does. Most people think about it as well switching to post-quantum cryptography algorithms, when in reality, switching from RSA to ECC is a form of cryptographic agility. So this is a thought for all of you - if you find systems or you have an inability to switch from RSA to ECC, you have a serious, serious cryptographic agility problem. If just switching to ECC is going to be hard, imagine how hard it is going to be switching to PQC algorithm.
Tim CallanTim CallanI agree, absolutely. That's a great point, which is, if you are afraid that you can't make this kind of switch and have it work correctly, maybe deploying ECC helps you shake out some of those problems. If we want to use ECC and it's problematic, guess what? We identified something that's guaranteed to be problematic when we go to PQC and we will have no choice.
Jason SorokoJason SorokoYour first step in cryptographic agility is to take inventory. I think just taking inventory of your RSC versus ECC gets you three quarters of the way there.
Tim CallanTim CallanAbsolutely. You and I have talked about this a lot. Know what your cryptography is. Know what it has. Cryptographic bill of materials. If you're doing a cryptographic bill of materials anyway, that is overlapping, heavily overlapping, with the work required to move your default away from RSA over the ECC. So, if you like reusing work, which I sure do, then this is one of the places where you can do that.
Jason SorokoJason SorokoThere it is, Tim. Get out there folks. Uunderstand your RSA versus ECC usage, and I think we're going to have to readdress this question, Tim. I think the CAs should be issuing more ECC. Just an opinion.
Tim CallanTim CallanIt’s interesting. I mean, look, how public CAs work, is they issue what they're told to issue. Like, the subscriber decides what they want. The CA has never tried to second guess that. But there may be opportunities not to be proscriptive and say you can't have RSA, but there may be opportunities to recommend and suggest and provide guidance, and that could be a role that the CA plays that's quite valid.
Jason SorokoJason SorokoTim, you made the perfect point. If it's just based on habit, then you probably have to change.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud