Cryptography, the science of encrypting data and information, is the backbone of SSL. Every time you visit a website that is secured by an SSL certificate, your computer works with that website’s server to encrypt and then decipher all data sent over the connection. Without going into too much detail, this process is made possible by the computation of a specific algorithm that is used to sign that website’s certificate.
The most commonly used signature algorithm is RSA (Rivest-Shamir-Adleman, named for the first people to work with it). The vast majority of SSL certificates are signed by an RSA algorithm that is incredibly difficult to solve without the associated private key.
Although RSA is the industry standard signature algorithm, many system admins rightfully believe that one can never be too secure. Any SSL user that is not satisfied with the strength of RSA might be interested in a relatively newer cryptographic signature algorithm called Elliptic Curve Cryptography (ECC), which is thought to be significantly harder to break into than RSA due to its discrete mathematical properties.
Overview of Elliptic Curve Cryptography (ECC)
The signature algorithm of Elliptical Curve Cryptography is based on the algebraic properties of eliptical curves. Because ECC uses a different, more complex algorithm, ECC private keys are generally much shorter in length than RSA keys, but are also considerably stronger. A 256-bit ECC key is equal in power to a 3072-bit RSA key–for reference, the industry standard RSA key size is 2048-bits.
This difference in strength does not mean that the widely-used RSA algorithm is insecure or being phased out any time soon. ECC simply grants an even higher level of security than is standard, and often allows systems to complete their “handshakes” over a secured connection faster than usual because of the shorter key.
However, there are a few reasons why you might not want to switch to ECC just yet. It’s a newer algorithm, which means it hasn’t been as thoroughly tested for vulnerabilities as the tried and true RSA. There are also a number of browsers, servers, and devices that don’t support it, and will not be able to create a secure connection with a website that uses an ECC certificate. Additionally, slower processors can take longer to decipher ECC encrypted data because the algorithm is just that much more complicated than RSA.
How to Get an ECC Certificate
If you do decide that an ECC certificate is right for your domain, you’ll need to start by purchasing an SSL certificate that can use this algorithm. The Symantec Secure Site Pro is the only Digicert product offered by The SSL Store that can utilize ECC at this time, but any Comodo product can be issued with ECC.
When you’re ready to generate your certificate, you’ll need to create an ECC Certificate Signing Request on your system. This should be something you enable during the CSR generation process on your server. Then all you have to do is finish the SSL process the same way it’s always done. After validation the Certificate Authority will provide an ECC signed certificate to you, ready to secure your domain.