ECC SSL Certificate Generation and LiteSpeed Web Server

LiteSpeed Supports ECC SSL

ECC SSL certificates are supported by LiteSpeed Web Server, and ECC generation is now a feature in the user-end cPanel plugin.

What is an ECC SSL certificate?

An ECC SSL certificate is similar to a traditional RSA SSL certificate with the exception of using Elliptic Curve Cryptography (ECC) for it’s key exchange (elliptic-curve Diffie–Hellman [ECDH]) and signing (Elliptic Curve Digital Signature Algorithm [ECDSA]) operations.

Is ECC better than RSA?

Why use an ECC SSL certificate over a traditional RSA SSL certificate? In short, an ECC certificate can achieve the same level of security as that of an RSA certificate at a much smaller size with the added benefit of ECC also being easier to encrypt/decrypt than RSA (especially attractive for mobile user’s who may have underpowered processors).

Symmetric Key Size (bits)
/Security level (bits)
RSA and DSA Key Size (bits)ECC Key Size (bits)
801024160
1122048224
1283072256
1927680384
25615360512

(Source: https://casecurity.org/2014/06/10/benefits-of-elliptic-curve-cryptography)

A 1024-bit RSA key is the lower bound for what is considered “secure” given the computation power available today. As we can see above, that level of security can be matched with just a 160-bit ECC key. This size disparity only widens as we require higher levels of security, making ECC certificates the more future proof option as well.

Combine this with the fact that ECC encryption/decryption requires less processing power than RSA, and there is the potential to significantly increase server throughput by making the switch.

LiteSpeed Supports ECC SSL

LiteSpeed Web Server both supports ECC certificate usage directly and, as of version 5.4.8, has the ability to load ECC certificates in parallel with existing RSA certificates when the Enable Multiple SSL Certificates setting is enabled (disabled by default). In the case of parallel loading, ECC certificates will be used for SSL if supported by the browser/protocol making the request. If unsupported, it will fall back to existing DSA/RSA certificates.

LiteSpeed made the decision to add ECC support for two compelling reasons. First, Internet Explorer 11 uses a weak cipher suite for RSA. This is not a problem with their ECC cipher suite. So, adding ECC support provides a more secure option for those users. The other reason comes down to server performance. When serving SSL traffic with an ECC certificate LiteSpeed Web Server can complete SSL handshakes faster, improving both the speed and the number of concurrent clients that can be served.

cPanel ECC Integration

Despite feature requests going back a number of years, cPanel has so far chosen to not officially support the generation and use of ECC certificates.

Fortunately for those interested, we have added an ECC Certificate Management feature to the latest release of our user-end LiteSpeed Web Cache Manager plugin for cPanel (v2.1), shipped with LSWS v5.4.9. With this new feature, cPanel users can still improve their site performance by generating a new ECC certificate for each of their domains with only a few clicks. These generated certificates will be loaded in parallel with any existing RSA certificates with certificate renewal being handled automatically by the cPanel plugin itself.

ECC SSL Generation in LiteSpeed Web Cache Manager

Notes:

Conclusion

Most major browsers already support ECC, and support continues to grow. Meanwhile, RSA-encrypted certificates are quite literally outgrowing their ability to meet the security needs of tomorrow. It would appear that smaller and faster ECC encrypted certificates are the next natural step in SSL security.

Are you ready to switch to ECC SSL?



Related Posts


Comments