Support LeaderSSL : hors ligne :
Du lundi au vendredi 9:00 - 18:00 Heure CET
Service client Facturation :

Du lundi au vendredi :
9:00 - 18:00 Heure CET

Assistance technique :

Du lundi au vendredi :
9:00 - 18:00 Heure CET

Système de commande/émission de certificats :

24/7

  1. Aide
  2. SSL Help
  3. RSA, ECC, ECDSA: which algorithm is better to choose when ordering a digital certificate in LeaderSSL?

Interrogez-nous, nous vous répondrons !

RSA, ECC, ECDSA: which algorithm is better to choose when ordering a digital certificate in LeaderSSL?

Until recently, there were only two algorithms used in digital certificates. The first encryption algorithm is RSA, and the second is the hashing algorithm SHA-1. At the moment, these algorithms are considered unstable, so new solutions have come to replace them.

In January 2011, trusted Certification Authorities adopted the NIST guidelines as a standard for issuing new RSA certificates with keys at least 2,048 bits long. However, the standards are changing, and today the requirements for the complexity of algorithms are gradually increasing. For example, today, the RSA key size for Code Signing certificates has been increased to 3,072 bits.

What is ECC?

ECC (Elliptic Curve Cryptography) – a method of public key cryptography based on the use of elliptic curves over finite fields. The most important difference of ECC compared to RSA is the key size in relation to the cryptographic resistance. ECC provides the same cryptographic strength as the RSA system, but with much smaller keys. For example, a 256-bit ECC key is the same as 3,072-bit RSA key (which are 50% longer than the 2,048-bit keys used for SSL certificates today).

Finally, the most secure symmetric algorithms used in TLS – for example, AES – use a minimum of 128-bit keys, so that the transition to asymmetric keys seems very reasonable.

Why you should move to ECC?

The small size of the keys makes ECC an ideal choice for devices with limited storage or data processing resources, which are increasingly common in the field of IoT.  In the context of server-side technologies, the keys’ small size can speed up the SSL handshake, which results in extremely fast page loading and greater security.

Today, ECC certificates are issued by DigiCert (Symantec) and Sectigo (Comodo).

Note: RapidSSL cannot be ordered with ECDSA.

If you need an ECC certificate, you must generate a special request.

For Sectigo, generation of Elliptical Curve CSRs requires OpenSSL 1.x or later, and is as follows:

1). Create a configuration file Elliptic Curve Parameters.

$ openssl ecparam -name prime256v1 -out ecparams.pem

2). Create a CSR:

$ openssl req -new -sha256 -nodes -newkey ec:ecparams.pem -keyout my_ecc.key -out my_ecc.csr

Note: Issuing ECC certificates is only possible if you have not started the validation process. So be sure to inform us in advance by email that you require an ECC certificate!

What is ECDSA?

The algorithm, called ECDSA (Elliptic Curve Digital Signature Algorithm), was first proposed by Scott Vanstone in 1992. Signatures based on the algorithm of ECS, the ancestor of ECDSA, have several important advantages over RSA-algorithms: they are smaller in size and are created much faster. Verification based on ECC algorithm is high-speed, which led to widespread distribution of ECDSA certificates.

Advantages of using ECDSA to RSA

Using ECDSA for digital signature carries a number of important advantages, such as:

  •  a high level of security;
  •  no problems with application performance;
  •  quick process of signing and verification (40% faster than RSA);
  •  execution of the growing application security requirements;
  •  support of government standards for the protection of information;
  •  compliance with the modern requirements of industry.

Certificates with ECDSA can reduce the total amount of data to be authenticated, resulting in significant cost savings associated with date storage.

Today, ECDSA certificates are issued by DigiCert (Symantec) and Sectigo (Comodo).

Note: RapidSSL cannot be ordered with ECDSA.

ECPVS algorithm – a highly specialised alternative to ECDSA

There is also another alternative to ECDSA – ECPVS algorithm (Elliptic Curve Pintsov Vanstone Signature). This algorithm is unique in that it supports the restoration of certain parts of the sign message. ECPVS algorithm is included in many standards, such as I EEE P1363a, ANSI X9.92 and ISO 9796-3. It is used in different postal services, as well as to verify the signature of cheques and short messages holding 1 byte (for example, a message with the answer "yes/no", etc.).

Upon request, we can always issue any required digital certificates for you.


Des questions ? Écrivez-nous!

J'accepte

En saisissant votre adresse électronique, vous confirmez que vous avez lu et accepté le site web Terms and Conditions, Privacy Policy et Money-back Policy.

>