Public Key Cryptography uses math to create two keys; a Public Key for encrypting messages and a Private Key for decrypting them.
This ensures that only the intended recipient can read the message. The main algorithms used are RSA, DSA, and ECC, each with its own advantages in performance, speed, and security.
RSA is the oldest and is known for its strength. ECC offers better security with smaller keys, making it suitable for devices with limited processing power. DSA, which the U.S. Federal Government supports, is effective for signing and verifying messages. These cryptographic methods support digital certificates for secure web browsing and other digital identity uses. As quantum computing advances, new post-quantum algorithms are in development to maintain security in the future.
RSA, DSA, and ECC are the main encryption algorithms for creating keys in Public Key infrastructure (PKI). PKI helps manage identity and security in online communications and networking. The key technology behind PKI is Public Key Cryptography, which uses two related keys; a Public Key and a Private Key.
These keys work together to encrypt and decrypt messages. This method is called asymmetric encryption. It differs from symmetric encryption, which uses one key for both processes.
The benefit of asymmetric encryption is that the Public Key can be shared openly, while the Private Key remains secure on the user's device. This setup offers better security compared to symmetric encryption.
How Public Key Cryptography Relies On Encryption
Public Key Cryptography uses mathematical algorithms to create keys. The Public Key is a series of random numbers used to encrypt messages. Only the person for whom the message is intended can unlock and read it by using a Private Key, which remains secret and known only to them.
Public Keys are made with complex algorithms that link them to their Private Keys to prevent brute force attacks. The size of the Public Key, measured in bits, affects its security. For instance, 2048-bit RSA keys are commonly used in SSL Certificates, digital signatures, and various digital certificates. This key size provides enough security to deter hackers. Organizations like the CA/Browser Forum set minimum standards for key sizes.
Public Key Infrastructure (PKI) allows the digital certificates we often encounter while using websites, mobile apps, online documents, and connected devices. One well-known application of PKI is X.509-based Transport Layer Security (TLS) and Secure Socket Layer (SSL), which forms the foundation of the HTTPS protocol for secure web browsing.
Digital certificates are also used for application code signing, digital signatures, and other aspects of digital identity and security.
RSA - DSA - ECC Algorithms
Three main algorithms are used to generate keys in Public Key Infrastructure (PKI); Rivest–Shamir–Adleman (RSA), Digital Signature Algorithm (DSA) and Elliptic Curve Cryptography (ECC).
The RSA algorithm, created in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman, relies on the difficulty of factoring large prime numbers. It was the first to implement the Public Key / Private Key system. The common key length for RSA today is 2048 bits.
ECC is based on the mathematics of elliptic curves and offers similar security to RSA and DSA but with shorter keys. It is the newest of the three algorithms. The Elliptic Curve Digital Signature Algorithm (ECDSA) was recognized in 1999, followed by Key Agreement and Key Transport Using Elliptic Curve Cryptography in 2001. ECC is certified by FIPS and supported by the National Security Agency (NSA).
DSA uses a different method than RSA to generate public and Private Keys, relying on modular exponentiation and the discrete logarithm problem. It provides security levels similar to RSA with keys of the same size. DSA was introduced by the National Institute of Standards and Technology (NIST) in 1991 and became an official standard in 1993.
Multiple encryption algorithms can be used together. For instance, Apache servers can manage both RSA and DSA keys. This approach improves security.
ECC Encryption Strength Comparison
The main difference between ECC and RSA / DSA is that ECC provides stronger security for the same key length. An ECC key is more secure than an RSA or DSA key of equal size.
| Symmetric Key Size (bits) |
RSA Key Size (bits) |
ECC Key Size (bits) |
| 80 |
1024 |
160 |
| 112 |
2048 |
224 |
| 128 |
3072 |
256 |
| 192 |
7680 |
384 |
| 256 |
15360 |
521 |
ECC allows for similar cryptographic strength with much smaller key sizes (roughly ten times smaller). For instance, to match the cryptographic power of a 112-bit symmetric key, an RSA 2048-bit key is needed, while only a 224-bit ECC key is necessary.
These shorter keys require less processing power for encrypting and decrypting data. This makes ECC ideal for mobile devices, the Internet of Things, and other applications with limited computing capabilities.
Why ECC Hasn't Been Widely Used
RSA is the most popular encryption method, but ECC is becoming more well-known. RSA has an advantage because it has been in use for a longer time. However, there are reasons why some people may choose to avoid ECC :
- Learning Curve : ECC is harder to understand and adopt compared to RSA. This complexity can lead to mistakes, which can harm cybersecurity.
- Security Risks : ECC is at risk from side-channel attacks, which could open the door to brute force attempts. It is also susceptible to twist security attacks, though there are ways to protect against them.
Quantum Computing
Quantum computing is set to change encryption methods significantly. Traditional algorithms like RSA and ECC will be vulnerable to quantum attacks, making it vital for organizations to switch to new encryption techniques. Fortunately, several new algorithms are already in development.
NIST has assessed current post-quantum cryptography algorithms and selected four effective options; ML-KEM, CRYSTALS-Dilithium, SPHINCS+ and FALCON. Staying informed about these advancements and the new standards will be crucial for organizations moving forward.
