I’ve often noticed that it can be difficult to find information in one place around PKI solutions and what makes them secure.
That’s why I’ve decided to create a PKI resource myself! This ongoing series will outline the elements that make up a secure PKI. So continuing on from last week’s blog, I’m discussing the pros and cons of RSA and ECC!
Bigger is not always better!
In an ever-expanding world of IoT, demand and requirement for security is always increasing. Even our IoT toothbrushes can pose a security threat if the data it transmits about our home network is not secure.
RSA (Rivest–Shamir–Adleman) keys have been in usage since 1977, and are still widely used today as the go-to choice for most organisations for SSL Certificates. As malicious tools to intercept and compromise our data increase in capability, the response has been to increase the key length of certificates to make this harder for attackers.
This approach works but it is not without its caveats, one being that as we moved from a minimum of 1024 bits to the recommended 2048 bits as the new standard for most operations, computational time for decryption and encryption have increased accordingly. Bear in mind, for Root PKI certificates, we can go up to 4096 bits for some scenarios and this can increase computational time even further.
This increase in computational power required is not so much a problem for most enterprise scenarios where this is performed on workstations, laptops or servers. However, it can be problematic when dealing with large quantities of data transmissions over connections, such as VPNs for example. This is also especially true for IoT devices without the computational power of a workstation or server to achieve this in a timely fashion.
New kid on the block…
As with most technologies, cryptography has evolved and one of the new kids on the block is ECC (Elliptic Curve Cryptography). It provides the same security as RSA-based cryptography, but at much reduced key sizes. For example, a 256-bit ECC key equates to that of a 3072-bit RSA key. Essentially, the ECC cryptosystem is based on Elliptic Curves over finite fields whereas RSA is based on generation of random prime numbers, and then subsequent calculation of the key modifiers based on desired key length. For most organisations an ECC certificate of 256 bits will provide more than the 2048 bit standard that is required today for a secure baseline posture for SSL certificates for your PKI infrastructure.
If you would like to find out more on the algorithms used in both of these, please refer to the articles below:
ECC is however not without limitations; not all Enterprise applications yet support this, and in the world of Microsoft, Microsoft Endpoint Manager (formerly Configuration Manager) doesn’t currently support this method of encryption but this should hopefully change in the future.
In summary, RSA keys are in wide usage today however with the ever-increasing sophistication of malicious attackers, key lengths are only ever going to increase. So selection of the ECC type certificates should certainly be considered, if compatibility with the applications your PKI infrastructure will service is confirmed as ECC is the natural successor to RSA and provides future proofing and increased performance for securing of endpoints and your organisational data.
Rest of the Series
Here’s the series in full – I’ll be updating here each week as each part is released:
If you have any questions on what I’ve discussed here or security in general, feel free to email in on firstname.lastname@example.org and I’ll be happy to answer any queries you have.