Elliptic Curve Cryptography

Java supports all DHE-RSA related SSL cipher suites, but uses different names than OpenSSL.

Elliptic Curve Cryptography (ECC) is an encryption technique that provides public-key encryption similar to RSA. While the security strength of RSA is based on very large prime numbers, ECC uses the mathematical theory of elliptic curves and achieves the same security level with much smaller keys.

The mathematical background of ECC is described in RFC 6090:


http://tools.ietf.org/html/rfc6090

The use of ECC in SSL/TLS is described in RFC 4492.

http://tools.ietf.org/html/rfc4492

In practice, ECC is often used with Diffie-Hellman to speed up performance. ECC does not replace RSA for authenticating the communication partners, but is used for generating the ephemeral DH session key with the help of an EC private key. RSA is still used for providing authentication. The related SSL cipher suites all have ECDHE-RSA in their names and complement the plain DHE-based cipher suites.

The main advantage of Elliptic Curve Cryptography with Diffie-Hellman (ECDHE-RSA) over plain Diffie-Hellman (DHE-RSA) is better performance and the same level of security with less key bits. A disadvantage is the additional effort for creating and maintaining the EC key.

The next section shows how to set up and use ECDHE-RSA on z/VSE.