ECC
Mar 13, 2020
ECC
What is ECC?
ECC stands for elliptic curve cryptography and is an alternative approach to public-key cryptography over the current RSA standard.
What is different about ECC vs. RSA?
Approaches to public-key cryptography are based around the impracticality of solving specific mathematical problems. RSA for instance, is based around the infeasibility of factoring the product of two large primes. ECC’s approach centers on the difficulty of finding the discrete logarithm between points on an elliptic curve, even if one of those points is known.
What are the advantages of ECC vs. RSA?
ECC can use smaller key sizes while offering comparable cryptographic strength.For example, a 256-bit ECC key is equivalent to an RSA 3072-bit key. See the table below for a more complete comparison:
| Symmetric Key length (bit) | RSA Key length (bit) | ECC Key length (bit) |
|---|---|---|
| 80 | 1024 | 160 |
| 112 | 2048 | 224 |
| 128 | 3072 | 256 |
| 192 | 7680 | 384 |
| 256 | 15360 | 521 |
The smaller key size means less computational overhead and reduced storage requirements, which in turn translates to better performance, especially for computationally constrained devices.
Does GlobalSign offer ECC Certificates?
Yes, as of May 27th, 2015 you can paste in an ECC CSR when you order or reissue your SSL Certificate for all GlobalSign SSL products. The certificate will be signed under the same SHA-256 hierarchy for that product eliminating the need to add additional intermediates to your existing server configuration.
GlobalSign offers free reissues, consider reissuing your SSL certificate today to take advantage of the improved security!
Are there any special requirements?
There are many different ECC Curves; GlobalSign will sign ECC keys generated using the NIST SuiteB P-256 and P-384 curves.
How can I generate an ECC key & CSR?
The OpenSSL command to generate a 256-bit ECC key is:
openssl ecparam -out server.key -name prime256v1 -genkey
From there, you can use the standard command to generate a CSR from your ECC key:
openssl req -new -key server.key -out server.csr
For IIS, you will need to specify the Cryptographic Service Provider to generate an ECC key. Detailed instructions here.
Will my ECC certificate be trusted?
ECC certificates issued by GlobalSign are signed by the same intermediates currently in use for each SSL product chaining back to one of our roots are embedded in most operating systems, browsers, and mobile devices. GlobalSign’s root ubiquity will ensure your certificates are trusted.
Are there any compatibility issues with ECC certificates?
While GlobalSign’s root certificates are embedded across platforms, some legacy systems may not have the cryptographic libraries necessary to support ECC Certificates. Microsoft added support for ECC starting with Windows Vista & Windows Server 2008. View our ECC Compatibility article for more detailed information.
Related Articles
SSL Configuration Test
Check your certificate installation for SSL issues and vulnerabilities.