Next Generation Cryptography now available with Azure Web Sites

Securing your site with SSL has never been more important, but even though encryption isn’t new, cryptographers keep looking for ways to be more secure and we in Azure Web Sites are always looking for ways to support the latest and greatest. Today, the greatest is Elliptic Curve Cryptography (ECC) certificates.

Elliptic curve cryptography is an encryption technology based on the algebraic structure of elliptic curves over finite fields. If that sounds complicated, don’t fret…not a lot of people get it. Elliptic curves are graphs drawn based on the y2 = x3 + ax + b family of algebraic functions. When you plot the X and Y values of such a function, the curve looks elliptic and symmetric. For example, the graph for the function y2=4x3-4x+4 would look like this:

Erez Benari - Next Generation Cryptography now available with Azure Web Sites image 1

Without going too deep into the math behind this, the symmetry and computational complexity in this sort of function allows us to efficiently create a public and private key set that are much harder to break. We generate the private key, then use a selected elliptic function to derive the public key from it. Reversing this (as in, an attacker calculating the private key from the public key) is a monumental computational task that would be unrealistic with today’s technology and should remain so for many more years. Compared the classic private/public key generation, this is harder by a factor of 10, approximately (read this if you want all the gory details). This means that a 256 bit long key set generated using ECC is equivalent to a key over 2600 bits long in RSA. The standard in today’s market is 2048 bits, which would still take a VERY long time to crack with today’s computing power, so cracking an ECC key set would be virtually impossible even for someone with access to supercomputers.

What all this means in the real world is that instead of buying a regular SSL Certificate to secure your site, you can choose to purchase an ECC certificate instead, thus having better security. ECC certificates are relatively new to the market, and so not many certificate providers offer them. One such provider is Symantec, and another is Entrust, and other providers will soon jump on the wagon as well.

If this is interesting to you, then you will be glad to know Azure Web Sites has been tested and fully supports ECC certificates! To use one, work with your certificate provider of choice to buy one, and then simply upload it to Azure as a PFX file like you would upload a classic RSA certificate and assign it to your site. This is all there’s to it! Keep in mind that not all clients support ECC certificates, but if you’re running Windows Vista or later, you should be able to browse to your site over SSL regularly without any configuration or changes to the client. Stay safe!