Cerberus FTP Server supports Elliptic Curve Cryptography
Comparing ECC to RSA and Diffie-Helman
ECC’s efficiency and security is considered strong enough that the US National Security Agency (NSA) included it, while excluding RSA, from its Suite B cryptography recommendations. Suite B is a set of algorithms that the NSA recommends for use in protecting both classified and unclassified US government information and systems.
One of the ways judgments are made about the correct key size for a public key system is to look at the strength of the conventional (symmetric) encryption algorithms that the public key algorithm uses to key or authenticate. The following table gives the key sizes recommended by the National Institute of Standards and Technology (NIST) to protect keys used in conventional encryption algorithms like the DES and AES together with the key sizes for RSA, Diffie-Hellman and elliptic curves that are needed to provide equivalent security.
|Symmetric Key Size (bits)||RSA and Diffie-Hellman Key Size (bits)||Elliptic Curve Key Size (bits)|
|Table 1: NIST Recommended Key Sizes (from NSA’s “The Case for Elliptic Curve Cryptography“)|
As symmetric key sizes increase the required key sizes for RSA and Diffie-Hellman increase at a much faster rate than the required key sizes for elliptic curve cryptographic systems. Elliptic curve systems offer more security per bit increase in key size than either RSA or Diffie-Hellman public key systems.
Elliptic curve cryptographic systems are also more computationally efficient than the first generation public key systems, RSA and Diffie-Hellman. Although elliptic curve arithmetic is slightly more complex per bit than either RSA or DH arithmetic, the added strength per bit more than makes up for any extra compute time. The following table shows the ratio of DH computation versus EC computation for each of the key sizes listed in Table 1.
DH Cost : EC Cost
|Table 2: Relative Computation Costs of Diffie-Hellman and Elliptic Curves|
Elliptic curve cryptography support is still in its infancy but its use will only grow in the coming years. You can try it now using Cerberus FTP Server 6.0 or higher.
How to get ECC support in Cerberus FTP Server
ECC cryptography for FTPS and HTTPS is only supported in Cerberus FTP Server 6.0 and higher.
SSH SFTP Elliptical Curve Key Exchange is supported in Cerberus FTP Server 4.0.9 and higher. Version 4.0.9 and higher support Elliptic Curve Diffie-Hellman (ECDH) key agreement, Elliptic Curve Digital Signature Algorithm (ECDSA), and elliptic curve public keys for SSH SFTP as specified in RFC 5656. Only the required NIST curves at 256, 384, and 521 bits with uncompressed points are currently supported.
You can find the latest release of Cerberus FTP Server on our downloads page.