Azure IoT Hub's Elliptic Curve Cryptography (ECC) server TLS certificate, also known as ECDSA certificate, is now in public preview. Compared to the normal RSA server cert, TLS handshake with ECC cert uses less data, is less computationally intensive, and is faster - all meaningful benefits to constrained IoT devices.
RSA vs ECC certificates
While offering equivalent cryptographic security to RSA certificates, ECC certificates use smaller key sizes. This following table (source: RFC 4492) shows the comparison between the approximate key sizes (in bits):
Symmetric | ECC | RSA |
80 | 163 | 1024 |
112 | 233 | 2048 |
128 | 283 | 3072 |
192 | 409 | 7680 |
256 | 571 | 15360 |
Smaller key sizes result in smaller certificate size and less data usage for TLS handshake. This is particularly important for IoT devices due to their smaller profiles and memory (such as RTOS devices) and to support use cases in network limited environments (such as cargo ships and remote areas).
IoT Hub results
We ran some experiments for the ECC (256 bits) vs. RSA (2048 bits) certificates for this IoT Hub preview. We found that the TLS handshake data usage went from ~4500 bytes to ~2700 bytes, 40% less! Not only will you be getting the reduction on your bandwidth bills, the savings on battery, computation costs, and memory should not be overlooked. For example, in Azure RTOS, we saw a possible 4KB reduction in TLS stack memory footprint if ECC is used. Such a reduction is significant for a device with limited memory as it opens up the possibility of re-using that memory for other purposes not previously possible.
Getting started
To get started,
- You'll need to create a brand new IoT hub with preview mode enabled. This is temporary limitation - once we're out of preview it will be available to existing IoT hubs as well.
- Follow our docs to prefer ECDSA cipher suites in order to tell IoT Hub to present the ECC cert.
Updated Dec 03, 2020
Version 1.0jlianMSFT
Microsoft
Joined June 04, 2019
Internet of Things Blog
Follow this blog board to get notified when there's new activity