Elliptic Curve Cryptography is the new black in the world of TLS. For the elite that works with crypto on a daily basis. it’s already pretty old, but for normal system administrators and developers is a new thing. We’ve added a new CA and three new tests for this cool technology!
The race for bigger keys in RSA
Security is a moving target. As computers gets stronger and stronger CPUs, old cryptos fall and the world needs to move on and add more security. With the RSA keys, the requirements for the size of the keys has been set to a higher and higher value. Today, the minimum key size for most commercial Certification Authorities is 2048 bits.
Elliptic Curve Cryptography (ECC) is emerging as an attractive public-key cryptosystem, in particular for mobile (i.e., wireless) environments. Compared to currently prevalent cryptosystems such as RSA, ECC offers equivalent security with smaller key sizes. (RFC 4492)
A larger key is harder to process for a small CPU. We have a test with a very large RSA key – with 16384 bits. Access this server to test the difference between a modern multicore laptop and a small system, like a Raspberry PI. For some applications, connection setup time matters. In IP telephony it’s measured in milliseconds and call setup time is part of the user experience.
Elliptic Curve Cryptography is based on a totally different algorithm. A key with 224 bits is said to have the same level of security as an RSA key based on 2048 bits. This is of course much better for small systems and we’re getting more and more small systems connecting to the Internet. You will meet more and more servers using this kind of cryptography out there, so it’s important that your client supports Elliptic Curve cryptography.
Named curve negotiation in TLS
The new parameter is the curve. There is a set of defined and recognised curve names used for TLS. I don’t understand the math behind all of this, and it’s not a requirement for using it. It is important to find out what the server support and how to agree on a curve. RFC 4492 is a good starting point for understanding this.
Elliptic Curve Cryptography is not supported in SSL. It’s only supported by TLS v1.0 and later.
Migrating to Elliptic Curves
We’ve started our exploration into elliptic curve cryptography with three tests. During the migration, which will take a long time, there will be hybrids – certificates where the CA use one technology and the client another. We’ve added those hybrid certificates to the test suite, as well as a modern CA using elliptic curve technology for a server also using it. Test #30, Test #31 and Test #32 are all about Elliptic Curves.
Try it out and give us feedback – especially if you locate a bug in the tests.