Why Elliptic Curve Cryptography is Necessary for Secure Remote Access

Monday, August 26, 2013

Patrick Oliver Graf


Recently, there have been many advances in cracking encryption algorithms that are the basis for the most common cryptography systems, such as Diffie-Hellman, RSA and DSA. Experts warn that within the next several years, the RSA public key cryptography system could even potentially become obsolete. If that is the case, how will enterprises be able to ensure secure remote access in the near-future?

First, let’s take a look at the problem itself. Encryption algorithms ensure security by utilizing the assumption that certain mathematical operations are exponentially difficult, such as the problems of integer factorization and the discrete logarithm, to prevent the decryption of public and private keys. As the key length increases, it becomes exponentially harder to decrypt, which is why key sizes are typically 128 bits and above.

After more than 30 years of little progress, researchers have recently started creating faster algorithms for limited versions of the discrete logarithm problem, which has rung the alarm for the entire cryptographic community. It has made us realize that we need to implement a more secure standard, Elliptic Curve Cryptography (ECC).

ECC is the best option moving forward for secure remote access via VPNs, because it is based on an operation that not only is difficult to solve but also is a very different problem from the discrete logarithm and integer factorization. Due to its unique characteristics, it is not impacted by advances in decrypting cryptography systems that utilize either of those problems. Currently, ECC is still not widely in use, but that is starting to change. It is particularly important for enterprises to implement ECC over the next several years to improve network security, because if decryption advances proceed at the current rate, TLS, a common protocol that ensures secure communications over the Internet, will be vulnerable to hackers until TLS 1.2, which includes ECC support, becomes widely available. If TLS communications can be decrypted, hackers could steal sensitive data, such as corporate financial information and documents, or even gain complete access to a corporate network to bring it down from the inside.

Implementing ECC right now will ensure that the worst case scenario will not happen. It’s time for enterprises to stay ahead of the curve, and use ECC to protect remote access to their corporate networks.

This post originally appeared on VPNHaus.com.

Possibly Related Articles:
General Network->General Enterprise Security Policy Security Awareness
Encryption VPN Elliptic Curve Cryptography
Post Rating I Like this!
David Wheeler Patrick, I think you need to go back and check some of the literature on ECC. ECC is not a different problem, ECC is the discrete log problem. ECC is a different problem from RSA, which is based upon Integer Factorization. From Wikipedia: "For elliptic-curve-based protocols, it is assumed that finding the discrete logarithm of a random elliptic curve element with respect to a publicly known base point is infeasible."
From L. Washington's book, "Elliptic Curves: Number Theory and Cryptography", pp 159, "One might wonder why elliptic curves are used in cryptographic situations. The reason is that elliptic curves provide security equivalent to classical systems while using fewer bits." The discrete log problem is to find k such that a^k = b mod p, where = means congruence here, and a & b are elements of a mathematical group. The group could be a finite field, or an elliptic curve defined over a finite field. In either case, the problem is the discrete log.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.