Understanding Elliptic Curve Cryptography and how it relates to SSL/TLS

You may notice that a couple of the Symantec products we offer, namely the Symantec Secure Site Pro line, advertise something called “ECC” or Elliptic Curve Cryptography. This is a mathematical method that can be applied to SSL/TLS Encryption.

ECC is actually not new, it’s been around for about a decade at this point, but given the fact it’s yet to be widely adopted it remains a mystery to many people.

ECC - Elliptic Curve Cryptography
ECC is incredibly complex, which is why we’ll avoid getting too granular in our discussion of it at this point (that can be saved for future posts), instead we’re going to give you the main points about ECC in case you’re interested in purchasing an SSL Certificate that makes use of it.

What Exactly is ECC?

There are a broad range of applications for Elliptic Curve Cryptography, when it comes to its applications to SSL it can be used to create encryption keys, to provide digital signatures, and more.

With any SSL Certificate there are quite a few cryptographic functions taking place. Every SSL Certificate has a key pair and a hash, and they all involve authentication and key exchange, ECC can be used for any of these functions.

So what does that all mean? Well, it means ECC can be the backbone of your SSL Certificate in a number of ways. And while a layman likely wouldn’t know the difference between an SSL Certificate that uses ECC and one that uses more traditional methods, there is a significant difference in performance. And frankly, as the need for greater security grows and the current methods strain to grow with it, that performance gap will only continue to grow, but we’ll talk more about that later.

Other methods that are currently used with SSL include RSA and DSA, you may have seen these advertised in various SSL Certificate details as well. RSA is named after its creators: Rivest, Shamir and Adleman. DSA is an acronym for Digital Security Algorithm (it was developed by the United States government). Of the two, RSA is the more widely used algorithm.

We won’t spend too much time on the differences between these two except to say they make calculations differently. In fact, all three make calculations differently. We’ll spare you the mathematical details, but suffice it to say those differences have some pretty large ramifications on the long-term viability of each.

Powerful Performance

Every day computers become more and more powerful. As you read this, in labs around the world, scientists are tinkering with quantum computers that will one day make the lightning fast performance of the computers we use currently seem absolutely pedestrian. That is to say, the processing power of computers continues to increase every day.

In order to stay ahead of those advancements, encryption technology needs to continue advancing as well. Right now, we measure encryption strength in “bits of security” or just bits. This refers to how much work a computer would need to do to break said encryption. You probably see things like 2048-bit key and 256-bit encryption strength thrown around all the time.

In order to break encryption, a computer literally needs to guess, which means trying millions of combinations of bits. The time this takes depends on the computer’s processing power.

To give you a sense of scale, given our current industry standards, it would likely take an organization like the NSA, which has massive amounts of computing resources – over a decade to break encryption. But, as we mentioned earlier, as computer processing power continues to increase, the time it would potentially take to break encryption continues to shorten.

So how does this tie in to ECC, RSA and DSA?

Well, how many “bits of security” these methods provide depends on a range of factors. And it’s not actually a 1:1 type of situation. For instance, a 2048-bit RSA key doesn’t actually provide 2048 “bits of security,” rather it provides only 112.

Here’s where ECC shines. If you double the size of an RSA key to 4096, you’re not doubling the number of “bits of security.” In fact, you’re actually only going to see about a 20% gain. That means a more cumbersome key, which is going to hurt performance and not increase the level of security that substantially.

ECC on the other hand can achieve equivalent “bits of security” using much smaller keys. And when we say much smaller, we’re talking like 90% smaller. This in turn means better performance. It also means better scalability. As industry standards increase, RSA and DSA keys will become larger and more unwieldy and ECC will start becoming more widely adopted.

Already, large sites – let’s call them mega-sites – like Facebook and Cloudflare are using ECC because of the massive performance benefits.

Granted, for a smaller site, you may not notice much of a difference. But again, it’s all about scalability.

Adopting ECC

As we mentioned, ECC is currently only in use by a small number of sites. For your average company or organization, the performance difference is negligible. The SSL Handshake still takes place in a matter of milliseconds even with RSA and DSA keys. Given the way humans perceive time, a performance difference that deals in milliseconds – even if it is up to 100% better – isn’t even noticeable.

And to that end, recent data from Mozilla’s TLS Observatory says over 90% of SSL Certificates in use today use RSA keys, while just 4% use ECC. RSA has pretty much been king since SSL was invented.

Because of this, server and client software has been slow to support ECC and many CAs don’t even provide it as an option (as we said at the beginning of this article, even within our sizeable product log, only a few high-end Symantec Certificates offer it).

But, as the processing power of computers continues to advance and forces industry standards to call for more secure keys and encryption strength, ECC is going to see substantial growth in terms of its popularity. RSA and DSA will soon be pushed beyond their reasonable limits and ECC is their logical successor.

So why wait for the industry to tell you to use ECC? Invest in it now and stay ahead of the curve. After all, ECC is the future. It’s just a matter of when you want to embrace it.

Important Resources

ECC Encryption & SSL Certificate

green pad lockHere, we have understand the details of an Elliptic Curve Cryptography including its features and functions. To enable the ECC encryption we need the Comodo & Symantec SSL Certificates.

Buy DigiCert SSL Certificates & Save 29%


Welcome to Savvy Security, a blog focused on providing practical cybersecurity advice for website owners and small businesses. Our team brings you the latest news, best practices and tips you can use to protect your business...without a multi-million dollar budget or 24/7 security teams.