Elliptic Curve Digital Signature Algorithm (ECDSA) Defined

Learn how Adaptive Multi-Factor Authentication combats data breaches, weak passwords, and phishing attacks.
Read more
Okta
Updated: 01/12/2022 - 12:18
Time to read: 3 minutes

The elliptic curve digital signature algorithm (ECDSA) is a form of digital signature. Cryptocurrency traders use it almost exclusively to prove their identities. But some websites use the technology too. 

We cover what makes the ECDSA algorithm different and uncover pitfalls that might make it risky for websites to implement. 

How does a signature algorithm work?

Let's begin with a bit of background on signature algorithms and the protections they offer. 

When you visit a site that begins with https://, your browser does two important things:

  1. Connect: The two systems use an encrypted channel to exchange information. 
  2. Verify: The browser uses cryptography to ensure that the site isn’t a fake put up by a bad actor. 

Signature algorithms make this process possible. Both browsers and servers have two keys (public and private) made up of mathematically related numbers. A private key creates a digital signature, and a public key can check its validity. 

Since the mid-1990s, websites have used relatively simple mathematical principles in key generation. Hackers love this idea, as cracking the code is somewhat easy. 

What is ECDSA? 

Complexity sits at the core of the ECDSA key-creation process. 

It’s mathematically simple to compute a key in one direction with ECDSA, but it’s very difficult to reverse the process. We won’t dig too deep into the math, but know that it begins with a curve represented by (y2 = x3 + ax + b). A number on that curve is multiplied by another, and that produces yet another point on the curve. Even if you know one number, finding the other is challenging. 

Breaking the ECDSA curve means solving something called the elliptic curve discrete logarithm problem, and that’s notoriously hard to do. Hackers keep trying, but it’s a very tough math challenge to overcome. 

ANSI accepted ECDSA as a standard in 1999, and IEEE and NIST accepted it as a standard in 2000. Some sites have implemented this form of digital signature in the intervening years, but it’s far from the dominant method. 

ECDSA advantages and disadvantages 

Digital signatures are a critical part of internet protections. But should you use ECDSA algorithms or another version?

Known benefits include:

  • Lowered risk. It’s mathematically challenging to crack an ECDSA code, although hackers will certainly try to do so. 
  • Faster load times. Websites aim to load pages within about a half-second. Exchanging keys adds time. ECDA’s keys are small, which means they can speed up a site. 
  • Required use. If you’re operating within the bitcoin environment, you must use ECDSA. No other option is available to you. 

Risks involve complexity. Implement the technology poorly (as Sony did in 2010), and you’ll leave your site open to hacking. If you’re not certain how to put it into practice, it’s best to stick with technology you know. 

Let us help

You know you must protect critical data, but you aren't sure how to make it happen. We understand, and we can help. Find out more about what we can do to protect your data, employees, and customers. 

References

ECDSA vs. RSA: Everything You Need to Know. (June 2020). InfoSec. 

The Elliptic Curve Digital Signature Algorithm. (2001). Certicom Corporation. 

What Is a Good Page Load Time for SEO: How Fast Is Fast Enough? (December 2020). SEM Rush. 

PS3 Hacked Through Poor Cryptography Implementation. (December 2010). Ars Technica.