ブログに戻る

フォロー&ご登録

英語のみで利用可能

このページは現在英語でのみ閲覧可能です。ご不便をおかけして申し訳ございませんが、しばらくしてからこのページに戻ってください。

Is it time for ECDSA certificates?

Shane Burgess

Senior Product Manager, Fastly

Certificates require evolution

Evolution can be hard. We often meet any kind of change with resistance, and say things like, “Don’t fix what isn’t broken,” or, “There’s nothing more permanent than a temporary solution.” 

With Transport Layer Security (TLS), Rivest–Shamir–Adleman (RSA) certificates have been the standard on the internet for the last 40 years. RSA is the most adopted and understood algorithm for certificates. Tried and true for many years, the only changes required for RSA certificates have been the length of the Public Key Infrastructure (PKI) keys. 

According to the National Institute of Standards and Technology (NIST), in 2003 RSA Security claimed 1024-bit keys would become crackable by 2010. Here in the United States, NIST recommends the use of 2048-bit keys until 2030. With the RSA algorithm, once the key lengths go beyond 2048, you hit the point of diminishing returns. RSA-2048 provides ~112 bits of security and RSA-3072 provides ~128 bits. The consensus for RSA-4096 is ~140 bits of security, only 28 more bits as compared to RSA-2048. 

This is nowhere near the perceived “double the security” that most people think they get when moving from RSA-2048 to RSA-4096. However, the real problem is that this marginal security enhancement comes at a significant performance cost. 

In contrast, Elliptical Curve Digital Signature Algorithm (ECDSA) certificates offer a better security posture, and better performance. RSA certificates are more widely adopted than ECDSA certificates. Is it time for your organization to make the change?

Without change, mitigating attacks becomes challenging

Why change now? RSA-2048 certificates are still secure. We have seven more years before our certificates are crackable – and you can always just lengthen the key, right? 

Not quite. Despite computers getting faster each year, longer RSA key lengths still demand processing power. While this isn’t a big concern for normal traffic, when we talk about the amount of traffic needed to cause a Distributed Denial of Service (DDoS), your server spends all of its time decrypting the client random (pre-master secret) key sent by the client when establishing a TLS connection. 

Mitigating this type of attack is very difficult because the only data point you have for creating a rule at the transport layer (L4) of the OSI model is the origin IP address. If the attacker is using enough unique origin IP addresses, monitoring the central processing unit (CPU) utilization is key to determining if you are under attack. Rate-limiting the number of TCP connections you allow would help mitigate this type of attack, but it would not discriminate from real traffic to your site. Because handshakes using ECDSA certificates are more efficient than using RSA certificates, these types of attacks are less likely to be successful. 

ECDSA certificates are here to stay

What is the alternative? Elliptical Curve Digital Signature Algorithm (ECDSA) certificates provide both the security and performance you need. While NIST accepted ECDSA as a standard in 2000, ECDSA certificates have had a slow adoption rate until recently. Again, change is hard – and RSA was working well. But while ECDSA certificates were not widely implemented at first, most clients now have support for ECDSA certificates. 

Our internal testing results at Fastly show ECDSA signings happen extremely fast, but verifying is slower when compared to RSA. Overall, as key lengths get larger, ECDSA outperforms RSA. 

Findings in an early study in 2015 on the Performance and Security of ECDSA corroborate this principle (although the overall speeds are slower due to 8 years of hardware and software advancements). 

As you can see from the chart above, RSA has a very slow key generation rate, but an extremely fast verification rate. As key lengths increase, the signature generation is slower for RSA as compared to ECDSA with similar security. Key generation speeds may not seem important, but as ephemeral certificates become popular, and you are managing hundreds of thousands of certificates, properly rotating your keys, even slight differences add up quickly. 

Shorter keys = better performance and scalability

Fastly now supports ECDSA certificates. If you are looking for stronger security, and performance is a requirement, then ECDSA certificates are for you. You can use ECDSA certificates with your Fastly services by uploading your ECDSA certificates via API or your https://manage.fastly.com/ account. Fastly managed certificates will support ECDSA keys soon. 

RSA-2048 may meet your requirements today, but NIST predicts that by 2030 those certificates will be too weak. If change is hard for your organization, start having the conversations now. We hope the data and resources in this article empower you to hold effective discussions with your leadership team. When you are ready to make the switch, Fastly is here to help. Reach out to our experts for more information.