Articles in Root

Elliptic Curve Cryptography (ECC)

Problem

What is Elliptic Curve Cryptography (ECC)?

Solution

Elliptic-curve cryptography (ECC) is cryptography based on the algebraic structure of elliptic curves over finite fields. ECC requires smaller keys compared to non-ECC cryptography

Why should I consider ECC?

 

One of the main benfits of ECC is a smaller key size which reduces storage and transmission requirements. With this reduced size, you increase the speed in using ECC.  ECC can provide the same level of security using a smaller key when compared to an RSA-based key, for example: a 256-bit elliptic curve public key should provide comparable security to a 3072-bit RSA public key.

 

The CSRs (certificate signing requests) are much smaller in size compared to CSRs generated by RSA-based algorithms.

 

How can I generate an ECC private key and CSR?

 

ECC support was added in OpenSSL 0.9.8 however not all servers included ECC in their compiled versions. You will need to check to ensure your version of OpenSSL supports ECC.  Below are some simple OpenSSL commands for ECC:

 

First, you must create the ECC private key:

openssl ecparam -out <path/to/private>.key -name <curve> -genkey

Where:

<path/to/private> is the path and name of your private key file that you wish to create. Example: "C:\temp\mykey.key"

<curve> is the name of the Eliptical Curve you wish to use.  Example: -name secp384r1

 

Note: You can get a list of available curves by running:

openssl ecparam -list_curves

Once the ECC private key has been created, you can then run the following to create your CSR:

openssl req -new -key <path/to/private>.key -out <path/to/csr>.txt

Where:

<path/to/private>.key is the private key you created in the first step. Example: "C:\temp\mykey.key"

<path/to/csr> is the path and name of your CSR file that you wish to create. Example: "C:\temp\mycsr.txt"

 

Which ECC curves does QuoVadis support?

 

At this time, Trust/Link only allows for the following Elliptical Curves with an RSA Signing algorithm:

  • secp256r1