February 13, 2013, 7:16 AM — Symantec today began offering multi-algorithm SSL certificates for Web servers that go beyond traditional crypto to include what's known as the Elliptic Curve Cryptography (ECC) Digital Signature Algorithm (DSA), which the firm says will be 10,000 times harder to break than an RSA-bit key. Certificates are used to prove site identity to the visitor through a validation check that involves the user's browser and the site certificate, and Symantec is making the argument that authentication will happen faster using this particular ECC algorithm.
ECC represents a different mathematical approach to crypto that originated in the 1980s to try for faster processing speed at lower bit lengths. Speed is of growing importance because the National Institute of Standards and Technology (NIST) is requiring websites covered under federal regulations to migrate from RSA 1024-bit crypto to 2048-bit certificates by Jan. 1, 2014, Symantec points out. This is regarded as a precautionary measure because longer-length crypto algorithms are harder to break; the NIST guideline taking effect related to algorithm length for security in website certificates will be advice that resonates beyond government to business.
Breaking crypto algorithms in certain instances can be done through "brute force," notes Bob Hoblit, senior director of product management in Symantec's Website Security Solutions division, alluding to computer-based attacks through raw processing power to try and crack the crypto's math. However, longer-length crypto algorithms are seen as more computationally intensive and slower in their use.
Symantec argues that the advantage in using ECC technology is that it will harder to break than an RSA-bit key -- and Symantec specifically points to National Security Agency analysis regarding ECC in general that 256-bit ECC certificates offer the equivalent security of a 3072-bit RSA certificate.
Symantec says its testing of ECC is showing better server-to-desktop performance and response time, comparing the RSA certificate handling 450 requests per second with an average response time of 150 milliseconds to the desktop, with an ECC certificate under the same conditions averaging just 75 milliseconds.