Elliptic Curve Cryptography Explained
Public key encryption (PKI) uses two different cryptographic keys, a public key and a private key, to encrypt and decrypt data. These complex algorithms use mathematical formulas to generate digital certificates with unique digital identities to secure information.
Elliptic Curve Cryptography (ECC) is one method of generating these key pairs that has proven to be an effective way to secure data. The National Institute of Standards and Technology (NIST) has endorsed ECC as a recommended algorithm for secure key exchange with standards for digital signatures.
ECC keys have a shorter key length and require less power, which is significant for use in embedded systems, such as mobile or IoT devices, and for faster load times.
What Is Elliptic Curve Cryptography?
Elliptic Curve Cryptography (ECC) is a type of cryptography using public and private key encryption based on elliptic curve theory. This creates smaller, but more efficient encryption keys for security.
ECC cryptography is growing in popularity relative to the River-Shamir-Adelman (RSA) public-key encryption methodology used to secure data in transit. While the RSA algorithm provides encryption of email or data using prime number factoring, ECC cryptography bases public keys on the looping lines on intersecting axis points on a graph.
The lines are symmetrical across the x-axis and non-vertical lines intersect the curve in three or fewer locations. Elliptic curve cryptography explained as a simplified formula would look like this:
Elliptic Curve Equation
Y² = x³ + ax + b
While the public key is used to encrypt data, a private key is used for decryption. This helps ensure a more secure system for data access.
Pros and Cons of This Algorithm
Here are some of the major benefits of elliptic curve cryptography as well as some of its limitations.
ECC Pros
One of the reasons for the growing popularity of ECC cryptography is that the keys themselves are smaller in size, yet more secure than other encryption algorithms. For example, an ECC cryptography key of 256 bits would have the same level of security as an RSA key of 3072-bit size. There’s also not a direct line between the sizes and security. For example, an ECC key of 521 bits would require an RSA key length of 15360-bits to provide the same level of security.
ECC-based systems provide a higher security level in comparison to other methods and have been proven to withstand levels of quantum computing, although it is expected to break ECC at some point in the future.
The smaller key size makes key generation and signing much quicker to use, reducing any latency introduced into the process. This is also important for mobile devices or IoT devices that have less storage space and less computing power to solve elliptic curve algorithms.
ECC also allows faster SSL/TLS handshakes to exchange and validate digital certificates for a web page. Because of the smaller size, less data needs to move back and forth, resulting in faster load times for websites. ECC certificates also use less memory in general, which can help accelerate network performance. For high-traffic sites, this can be a significant advantage and provide better scalability because of the lower threshold for compute power on servers — especially when you consider the billions of endpoints globally.
For example, an RSA certificate generally has a response time of 150 milliseconds for 450 requests, while ECC can accommodate the same number of requests in half the time.
ECC Cons
There are some downsides to using ECC cryptography, however. There’s a higher learning curve for adoption and it’s more complex to integrate. This can result in a potentially higher error rate during implementation, which could impact security. That’s essentially what happened to Sony when it mishandled its ECDSA (Elliptic Curve Digital Signature Algorithm) to sign software on its PlayStation gaming system. Developers used static parameters rather than random keys, allowing hackers to solve the algorithm and decipher private keys.
Because ECC cryptography is newer, there may also be a weakness that has yet to be discovered. There are also potential vulnerabilities.
For example, side-channel attacks (SCA) extract secret keys from chips or systems resulting from “leaks of information.” Some of the more common attacks include:
- Timing attacks analyze the time it takes systems to execute algorithms.
- Electromagnetic (EM) attacks analyze electromagnetic radiation produced by devices.
- Simple power analysis (SPA) monitors power and EM variations used in cryptography.
- Differential power analysis (DPA) analyzes statistical measurements in use.
- Template attacks compare side-channel data with identical device templates.
These attacks deduce keys based on the signals it receives, such as the time it takes to process input values. With proper countermeasures, however, each of these can be mitigated by masking against timing, for example.
Twist-security attacks, also known as fault attacks, can also potentially leak private keys. By providing a public key that does not lie on the ECC curve, it may lead to a shared key that can be reverse engineered by computing a hash. These attacks can also be mitigated by paying close attention to curve and parameter validation.
Using This Method
Elliptic Curve Cryptography can help secure websites using smaller, faster keys to speed up performance and reduce latency without sacrificing security. How you implement and manage your ECC algorithms, however, will play a significant role in protecting your digital keys.
Sectigo provides the most comprehensive suite of SSL certificates and cybersecurity products to keep your business and your customer safe. We also offer a Certificate Lifecycle Management platform that securely manages digital identities for both public and private certificates for any device, user, or application.
Learn more about Sectigo and how we can help protect your website from security threats.
*** This is a Security Bloggers Network syndicated blog from Sectigo authored by Nick France. Read the original post at: https://www.sectigo.com/resource-library/elliptic-curve-cryptography-explained
