ECC vs RSA: Comparing SSL/TLS Algorithms

Here’s a comparative analysis of ECC & RSA cryptosystems and how they’re similar or different

ECC vs RSA — how do you choose between these two types of algorithms when choosing an SSL/TLS certificate? Moreover, what do each of these options even mean in terms of encryption?

When purchasing an SSL certificate, users come across many technical specifications that they have no idea about. However, going ahead without understanding these terms isn’t an option for many. They want to get to the roots of these terms so that they can make an educated choice about purchasing the right SSL/TLS certificate to protect their website.

Considering that you’re reading this sentence right now, either you’re one of them, or you’re just a curious person who wants or needs to know this. In either case, this post will help you learn what you need to know about RSA and ECC. So, let’s get to learning!

RSA Algorithm

RSA (Rivest–Shamir–Adleman) is the most widely adopted asymmetric cryptographic algorithm today. It’s extensively used in encrypting website data, emails, software, etc.

RSA was invented by Ron Rivest, Adi Shamir, and Leonard Adleman in 1977. These three cryptographers used the prime factorization method to achieve the one-way encryption of a message. The prime factorization method involves taking two large random prime numbers (even “trillions” is too small of a number to accurately represent them) and multiplying them to create a public key. However, you cannot decrypt the message without knowing these two prime numbers. Getting these two prime numbers is a mightily difficult task. How difficult? Well, a group of researchers estimated that it would take more than 1,500 years of computing time  to sieve a 768-bit, 232-digit RSA modulus using a “single core 2.2 GHz AMD Operton processor with 2 GB RAM.”

A significant thing making RSA tick is its simplicity. It’s based on simple mathematical principles and can run faster compared to ECC — we’ll speak more about what ECC is in just a moment. Therefore, RSA is ideal for securing internal organization security.

However, the thing about RSA is that it’s been found to vulnerable. We won’t get into mathematical details here, but researchers could break the encryption of 12,934 keys out of 6.2 million actual public keys they had scanned and collected. This means RSA encryption provides less than 99.8% security. While this number might sound promising on paper, with the ever-increasing computational power that computers now provide, it means that the RSA algorithm will likely be cracked in the foreseeable future.

Now, let’s dive in to ECC and what all of that entails.

Elliptical Curve Cryptography

The history of elliptical curve cryptography, or ECC, goes back to 1985 when two mathematicians named Neal Koblitz and Victor S. Miller suggested the use of elliptical curves in cryptography. However, it wasn’t until 2004 or 2005 when ECC algorithms entered in the public domain.

As the name suggests, ECC is an asymmetric cryptography algorithm based on uses of the algebraic structure of elliptic curves over finite fields. The ECC algorithm works on the elliptic curve discrete logarithm problem (ECDLP). This cryptography method is harder to crack since there is no known solution to the mathematical problem given by the equation producing the elliptical curve in a graph. Therefore, only one way remains for hackers: a brute-force attack — or a trial-and-error approach, in other words. This complexity makes ECC more secure compared to RSA.

As ECC — by structure — is more secure compared to RSA because it offers optimal security with shorter key lengths. As a result, it requires a lesser load for network and computing power, which translates into a better user experience. To give you some numbers, RSA can respond to 450 requests per second with a 150-millisecond average response time, whereas ECC takes only 75 milliseconds to respond to the same number of requests per second.

RSA vs ECC: Key Length Comparison

Security (In Bits) RSA Key Length Required ECC Key Length Required
80 1024 160-223
112 2048 224-255
128 3072 256-383
192 7680 384-511
256 15360 512+

 

As you can see, RSA requires much larger key lengths compared to ECC. Therefore, to implement 256-bit encryption, we’ll have to use an RSA key length of 15360 bits. This, of course, it not practical since it’ll take much more computational power.

RSA vs ECC: Side by Side Comparison

RSA ECC
A well-established method of public-key cryptography. A newer public-key cryptography method compared to RSA.
Works on the principle of the prime factorization method. Works on the mathematical representation of elliptic curves.
RSA can run faster than ECC thanks to its simplicity. ECC requires bit more time as it’s complex in nature.
RSA has been found vulnerable and is heading towards the end of its tenure. ECC is more secure than RSA and is in its adaptive phase. Its usage is expected to scale up in the near future.
RSA requires much bigger key lengths to implement encryption. ECC requires much shorter key lengths compared to RSA.

 

RSA vs ECC: Conclusion

Both methods are prevalent and offer security against man-in-the-middle (MitM) attacks. However, RSA has been found vulnerable against some attacks, and it’s a matter of “when” not “if” RSA will eventually fail. Many experts believe that RSA will no longer be in use by the time 2030 comes around. ECC, on the other hand, is in its maturity phase, and many users have started using it. If you’re thinking of purchasing an SSL certificate, we’d suggest you go with a certificate with the ECC option as it’s always better to stay a step ahead of the criminals.

Purchase a DV SSL Certificate & Save Up to 88%!

We offer the best discount on all types of Domain Validation SSL Certificates (DV SSL). We offer certificates from the leading CAs, including Comodo CA, Sectigo, Thawte, GeoTrust, and RapidSSL with DV certificates starting as low as $5.88 per year.

Shop DV SSL Certificates

SHA1 vs SHA2 — The Technical Difference Explained by SSL Experts

Let’s talk about SHA1 vs SHA2 — or SHA-1 vs SHA-2, as you may more frequently see them written.

For some of you, when you hear “SHA,” you may think of the dark, physical manifestations of negative emotions from a popular online game (World of Warcraft). For others who aren’t major MMORPG players, you likely think of SHA-1 and SHA-2 hash algorithms.

Read More

What Is a RapidSSL Intermediate Certificate and How Do I Download It?

Obtaining your intermediate certificate is an essential step to installing your new SSL certificate

One of the most important steps associated with installing an SSL certificate is ensure your intermediate certificates are installed. This is essential for all brands of intermediate certificates, including RapidSSL intermediate certificates.

Read More

FortiGate Users: How to Install a Wildcard SSL Certificate

How to install a wildcard SSL certificate on a FortiGate is a topic that pops up in conversation with our customers once in a blue moon. Heck, you may even be one of them! There are a few different reasons why you may want to install an SSL/TLS certificate on FortiGate — for example, it could have to do with wanting to secure your communications via a virtual private network (VPN).

Read More

How Much Does an SSL Certificate Cost? Its Worth Explained

Since the beginning of man, way before the chicken or the egg, the question of whether or not to pay for SSL — and how much does an SSL certificate cost — has plagued us. Aristotle gave lectures about it. Empedocles ruminated on it during his exile. Heraclitus opined in his writings that it was a question that strikes at the heart of every man (and, in 2019, every woman). It’s rumored that Michelangelo’s thinker is pondering that very question from atop his rocky perch.

Read More

Step-by-Step Guide: How to Enable HTTP/2 on IIS

Internet Information Services (IIS) , or Windows Web Server, runs on the Microsoft .NET platform on Windows operating System. It is an extensible, scalable and manageable platform used to host pages, applications or media on the internet. Hosting services in IIS use HTTP that is based on the TCP/IP suite of protocols.

To enable HTTP/2 on IIS, there are a few things to consider.

Read More

How to Enable HTTP2 on Apache

A step-by-step guide on How to Enable HTTP2 on Apache

Apache is an open-source web server that serves both static and dynamic content. It’s particularly useful because it’s suitable for websites ranging in size from a few pages to thousands of pages. Developed and maintained by an open community of programmers (Apache Software Foundation), Apache has the highest market share in the web server market.

Read More