Thomas

Thomas

The author works at and owns Mint Security, a mean and lean security company founded in 2015. No fuzz (literally - we do not fuzz, there are companies better equipped to do that).

Dive into the world of the E's

ECC can stand for “Elliptic Curve Certificates” or “Elliptic Curve Cryptography”. I will be using ECC as the latter of those for the sake of clarity. Elliptic curve certificates are commonly called ECDSA. Elliptic curve key exhange is called ECDH. If you add another E to the latter (ECDHE), you get ephemeral. The main points are about the different E’s (elliptic and ephemeral) as well as EC in the key exchange and the certificate signature algorithms.

Security

For security in key exchange, ALWAYS prefer the latter E (ephemeral) over the former E (EC). Security over speed. Always. Luckily, you can (and should) have both – ECDHE. So, in order of preference here:

  1. ECDHE
  2. DHE
  3. ECDH

Speed

  1. Speed in key exchange. DHE is slowest. ECDHE is still slower than RSA. RSA is the speed king.
  2. Speed overall. If ECC is used in both the certificate (ECDSA) as well as the key exchange (ECDHE), it is almost as fast as RSA on a comparative security level (RSA 2048).

PFS (Perfect Forward Secrecy or just forward secrecy) is NOT a result of any ECC, it is a result of the “latter E” in ECDHE or DHE. It stands for ephemeral.

ECC has benefits in both the certificate signature algorithm as well as the key exchange. Both must (and should) be enabled separately.

Picture 1. Speed comparison chart from Hubert Kario's blog

Mid-post wrap-up:

  • ECDHE-RSA means that ECC is used in the key exchange with EPHEMERAL Diffie-Hellman – using an RSA-certificate
  • ECDH-RSA means that ECC is used in the key exchange with NORMAL Diffie-Hellman – using an RSA-certificate
  • ECDHE-ECDSA means that ECC is used in the key exchange with EPHEMERAL Diffie-Hellman – using an ECC-certificate
  • ECDH-ECDSA means that ECC is used in the key exchange with NORMAL Diffie-Hellman – using an ECC-certificate

Configuration

For compatibility, one has to provide both RSA- end ECDSA-certificates for most end-user services. This means having two different certificates signed by your CA. In addition it also means two different CA-chains to be maintained. These things may or may not be an issue, but should be considered and remembered.

NOTE! An RSA-certificate and a ciphersuite starting with ECDHE-ECDSA will NOT enable
ECC-certificates – because you haven’t generated one (you are not alone – 2048 bit RSA is still at 90.6%
according to this source: https://securitypitfalls.wordpress.com/2015/02/01/january-2015-scan-results/).

Lessons for the reader

  • Don’t let yourself become confused by the different E’s (elliptic vs. ephemeral)
  • Techniques (algorithms) may be used in certificates, key exchanges, signatures and MAC’s. One technique might be really bad in one context, and totally OK in another (example: SHA-1 as a hash for handshakes in TLS is pretty OK, but SHA-1 as a hash for a certificate is not).
  • Using EC key exchange does not automatically mean PFS or ephemeral. They are two different server side configuration options (as can be seen in the list above)

Links and TL/DR

The mozillawikipage is regarded as the de-facto standard (and a true TL/DR!) for configuring SSL/TLS and can be found here:

Other good links on these beasts and the speed of them can be found here:

Thomas

Thomas

The author works at and owns Mint Security, a mean and lean security company founded in 2015. No fuzz (literally - we do not fuzz, there are companies better equipped to do that).

contact us

Please do contact us. We most likely respond faster than you thought,