If you have an interest in cybersecurity, you may have come across the acronyms SHA-2 and ECC (Elliptic Curve Cryptography) These terms are both differing methods that relate to certificate-based authentication and can play important roles in the cryptographic process.
If you’re looking to use either one of these protocols, SecureW2 can help you make the switch to a powerful certificate-backed network. Check out how we helped this school district make the switch to 802.1X.
In order to understand the difference between SHA-2 and ECC we first have to break down some fundamentals of how digital certificates work.
What is a Hash?
Simply put, a hash or hashing algorithm is a mathematical function that condenses data to a fixed size. That is to say, when a value is put into a hash, the result or hash value is a condensed version of the original value.\
This differs from encryption because hashing is a one-way function. While it’s technically possible to reverse-hash something, the computing power required makes it relatively impossible, that’s why it’s such a powerful tool in cybersecurity.
Hashing algorithms are used in a multitude of different applications in cybersecurity – they are used for storing passwords, MAC address authentication, and digital signatures. Certificates use these digital signatures as a means to provide assurance that entities are who they claim to be.
Digital signatures are incredibly fickle, meaning that any change to a file will cause the signature to change, so the hashing algorithm is used to identify if any unforeseen changes are made. This makes it impossible for an attacker to modify a legitimate certificate or create a fraudulent certificate that looks legitimate. A different hash means that the signature would no longer be valid.
What Are SHA-1 and SHA-2?
As previously mentioned SHA stands for Secure Hashing Algorithm and SHA-2 is the more advanced iteration of the algorithm. SHA-1 is a 160-bit hash and SHA-2 is actually a type of hashes and comes in a variety of lengths, the most popular being 256-bit. This essentially means SHA-2 is more complex and harder to crack than its predecessor.
Up until 2015 SHA-1 was the primary algorithm however due to research indicating the weaknesses of SHA-1, a shift was deemed necessary. In fact, Google even publicly cracked SHA-1 to prove its vulnerabilities.
So, from 2016 onward, SHA-2 has been the standard for digital certificates.
As time progresses, attacks against cryptographic techniques become more advanced, making SHA-2 less secure in 2021 than it was in 2016. But is there a better alternative?
What is Elliptic Curve Cryptography (ECC)?
ECC (Elliptic Curve Cryptography) is a public key cryptography method based on the use of elliptic curves on finite fields. The most important difference between ECC and SHA is the size of the function in relation to the cryptographic strength it provides.
ECC is able to provide the same cryptographic strength as the SHA system, but with much smaller processing power necessary. Simply put, ECC is a more efficient and powerful hash function than SHA.
The small size of ECC allows you to speed up SSL handshake speeds, which translates into speed and higher security. The small size also allows you to equip certificates to devices with smaller processing power like IoT devices.
In order to effectively perform cryptographic functions, most devices need some sort of dedicated cryptographic processors like a hardware security module or a smartcard. These are pretty small already, small enough to be embedded as a microchip in a credit card in the case of a smartcard.
ECC having such a low data requirement allows us to use smaller, faster, and cheaper crypto processors, which vastly expands the range of products they can be integrated with.
In order to illustrate how much more secure this method is, Arjen Lenestra published a paper that introduced the concept of “Global Security”. He simplified algorithm security into quantifiable and recognizable measurements. For example, how much energy it would take a computer to crack the code and how much water that same amount of energy could boil
To crack a 228-bit RSA key would require the same amount of energy as needed to bring a teaspoonful of water to boiling point.
To crack a 228-bit ECC key, you’d need an amount of energy capable of boiling all of the water on the entire planet Earth. An equivalent RSA key would require 2380-bits.
What’s Better: ECC or SHA?
Despite the advantages of ECC over SHA-2, the latter is still used in more than 90% of SSL certificates. While elliptic curve cryptography is better for most purposes most sites aren’t using ECC yet because server and client software has been slow to support it, and not every Certificate Authority (CA) is currently capable of providing SSL certificates that use ECC keys.
The fact of the matter is, ECC is far more efficient and powerful than SHA, the problem is coming from certificate providers who are unwilling to evolve with the time.
Luckily, SecureW2 is fully capable of issuing certificates with SHA and ECC with ease!
ECC-Backed Certificates With SecureW2
ECC is widely recognized as the superior hashing algorithm, primarily for its compatibility with IoT devices. The more certificates deployed to network accessing devices the more secure your network is as a whole.
SecureW2 has pioneered a cutting-edge IoT platform that empowers organizations to enroll devices for certificates using ECC quickly and securely. Contact our specialists today to find out if we’re the right fit for your organization’s IoT security needs.
