Google And Cloudflare Are Changing The Trust Infrastructure of the Internet: A Long Goodbye to RSA…

The RSA method was created by Rivest, Shamir and Adleman in 1978, and it is still used to encrypt and sign for data. The core of trust on…
Photo by Mitchell Luo on Unsplash

Google And Cloudflare Are Changing The Trust Infrastructure of the Internet: A Long Goodbye to RSA and a Hello to ECC and ECDSA

The RSA method was created by Rivest, Shamir and Adleman in 1978, and it is still used to encrypt and sign for data. The core of trust on the Internet is the usage of PKI, and where Web sites have a public key, and which has been signed by a trusted root provider. There is thus a chain of trust, that takes us up to a root signer. This normally involves the public key being verified by an intermediary trust provider. If we look at Twitter’s public key, we see it has an intermediate signing from DigiCert TLS and then from a root provider of DigiCert Global Root CA:

In the case of Twitter, we see they have an RSA public key with a 2,048-bit modulus:

There is then a signature created with a SHA-256 hash and RSA signing. But, while RSA is the most commonly used method for providing public keys, there is a growth in the usage of elliptic curves and with ECDSA signing. Why? Because RSA is a fairly hungry method for computation and often struggles on devices with limited processing capabilities. The first of the major companies to move from RSA keys to ECC (Elliptic Curve Cryptography) keys was Cloudflare, and we can see that their keys use elliptic curves. For this I will use the Medium.com site:

As we see, we are using the P-256 elliptic curve, and where we have a 512-bit public key value (and where the associated private key is 256-bits long):

The reason it is 512 bits long (65 bytes — 64 bytes of a key and one byte to identify the public key point type). In elliptic curve, we have a random private value (d), and create a public key of d.G, and where G is the base point on the curve. As we have a public key point, we have an x and a y value, and which gives us 512 bits. But, who else is adopting elliptic curve keys, and ECDSA signing? Well, Google! Here is the current Google public key on its Web site:

Again, you can see it is a P-256 curve.

Conclusion

The root of trust on the Internet is changing, and RSA is being slowly moved off the stage, and signing is being replaced by ECDSA. It will take a while, but there is likely to be a migration towards ECC (Elliptic Curve Cryptography) and toward the more efficient ECDSA signing method. But, RSA has done us well over the decades and is still going strong.