What Makes a Secure PKI Solution? RSA vs ECC

I’ve often noticed that it can be difficult to find information in one place around PKI solutions and what makes them secure.

That’s why I’ve decided to create a PKI resource myself! This ongoing series will outline the elements that make up a secure PKI. So continuing on from last week’s blog, I’m discussing the pros and cons of RSA and ECC!

Bigger is not always better!

In an ever-expanding world of IoT, demand and requirement for security is always increasing. Even our IoT toothbrushes can pose a security threat if the data it transmits about our home network is not secure.

RSA (Rivest–Shamir–Adleman) keys have been in usage since 1977, and are still widely used today as the go-to choice for most organisations for SSL Certificates. As malicious tools to intercept and compromise our data increase in capability, the response has been to increase the key length of certificates to make this harder for attackers.

This approach works but it is not without its caveats, one being that as we moved from a minimum of 1024 bits to the recommended 2048 bits as the new standard for most operations, computational time for decryption and encryption have increased accordingly. Bear in mind, for Root PKI certificates, we can go up to 4096 bits for some scenarios and this can increase computational time even further.

This increase in computational power required is not so much a problem for most enterprise scenarios where this is performed on workstations, laptops or servers. However, it can be problematic when dealing with large quantities of  data transmissions over connections, such as VPNs for example.  This is also especially true for IoT devices without the computational power of a workstation or server to achieve this in a timely fashion.

New kid on the block…

As with most technologies, cryptography has evolved and one of the new kids on the block is ECC (Elliptic Curve Cryptography).  It provides the same security as RSA-based cryptography, but at much reduced key sizes.  For example, a 256-bit ECC key equates to that of a 3072-bit RSA key. Essentially, the ECC cryptosystem is based on Elliptic Curves over finite fields whereas RSA is based on generation of random prime numbers, and then subsequent calculation of the key modifiers based on desired key length. For most organisations an ECC certificate of 256 bits will provide more than the 2048 bit standard that is required today for a secure baseline posture for SSL certificates for your PKI infrastructure.

If you would like to find out more on the algorithms used in both of these, please refer to the articles below:

ECC

RSA

ECC is however not without limitations; not all Enterprise applications yet support this, and in the world of Microsoft, Microsoft Endpoint Manager (formerly Configuration Manager) doesn’t currently support this method of encryption but this should hopefully change in the future.

In summary, RSA keys are in wide usage today however with the ever-increasing sophistication of malicious attackers, key lengths are only ever going to increase. So selection of the ECC type certificates should certainly be considered, if compatibility  with the applications your PKI infrastructure will service is confirmed as ECC is the natural successor to RSA and provides future proofing and increased performance for securing of endpoints and your organisational data.

Rest of the Series

Here’s the series in full – I’ll be updating here each week as each part is released:

  1. Multiple Tiers
  2. RSA vs ECC
  3. Access Control
  4. Physical Access
  5. Backups
  6. Certificate Revocation Lists

If you have any questions on what I’ve discussed here or security in general, feel free to email in on info@poweronplatforms.com and I’ll be happy to answer any queries you have.

Related resources

Surviving Audits and Compliance…

o business or organisation can get away from it entirely, whether you’re bound by regulatory requirements, internal processes, or external accreditations, and there are ways of approaching audit and compliance as a positive experience. Honestly – bear with me!

What Makes a Secure PKI Solution? CRLs

The Certificate Revocation List (CRL) is a list of Certificates that have not expired but have been revoked where clients and services can verify presented or held certificates.

What Makes a Secure PKI Solution? Backups

Just as with any other system within your organisation, PKI needs to be backed up regularly to ensure it can be restored in event of a disaster. So the Operating System, Disks and Virtual Machine are a given, but with PKI you also need to…

What Makes a Secure PKI Solution? Physical Access

Apart from obvious server security aspects such as patching, with PKI solutions there are also considerations relating to cryptography and even physical access. These are rarely documented as a consolidated list, so we decided to try and lay out what we look for and why in a PKI solution.