%3CLINGO-SUB%20id%3D%22lingo-sub-1943081%22%20slang%3D%22en-US%22%3E40%25%20smaller%20TLS%20handshake%20with%20ECC%20cert%20for%20IoT%20Hub%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1943081%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20IoT%20Hub's%20Elliptic%20Curve%20Cryptography%20(ECC)%20server%20TLS%20certificate%2C%20also%20known%20as%20ECDSA%20certificate%2C%20is%20now%20in%20public%20preview.%20Compared%20to%20the%20normal%20RSA%20server%20cert%2C%20TLS%20handshake%20with%20ECC%20cert%20uses%20less%20data%2C%20is%20less%20computationally%20intensive%2C%20and%20is%20faster%20-%20all%20meaningful%20benefits%20to%20constrained%20IoT%20devices.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1182693399%22%20id%3D%22toc-hId--1182693399%22%3ERSA%20vs%20ECC%20certificates%3C%2FH2%3E%0A%3CP%3EWhile%20offering%20equivalent%20cryptographic%20security%20to%20RSA%20certificates%2C%20ECC%20certificates%20use%20smaller%20key%20sizes.%20This%20following%20table%20(source%3A%20%3CA%20href%3D%22https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc4492%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ERFC%204492%3C%2FA%3E)%20shows%20the%20comparison%20between%20the%20approximate%20key%20sizes%20(in%20bits)%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%20border%3D%221%22%20width%3D%22100%25%22%3E%0A%3CTHEAD%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2233.333333333333336%25%22%20height%3D%2227px%22%20style%3D%22background-color%3A%20%231f6eb5%3B%22%3E%3CFONT%20color%3D%22%23FFFFFF%22%3E%3CSTRONG%3ESymmetric%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%20width%3D%2233.333333333333336%25%22%20height%3D%2227px%22%20style%3D%22background-color%3A%20%231f6eb5%3B%22%3E%3CFONT%20color%3D%22%23FFFFFF%22%3E%3CSTRONG%3EECC%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FTD%3E%0A%3CTD%20width%3D%2233.333333333333336%25%22%20height%3D%2227px%22%20style%3D%22background-color%3A%20%231f6eb5%3B%22%3E%3CFONT%20color%3D%22%23FFFFFF%22%3E%3CSTRONG%3ERSA%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTHEAD%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2233.333333333333336%25%22%20height%3D%2227px%22%3E80%3C%2FTD%3E%0A%3CTD%20width%3D%2233.333333333333336%25%22%20height%3D%2227px%22%3E163%3C%2FTD%3E%0A%3CTD%20width%3D%2233.333333333333336%25%22%20height%3D%2227px%22%3E1024%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2233.333333333333336%25%22%20height%3D%2227px%22%3E112%3C%2FTD%3E%0A%3CTD%20width%3D%2233.333333333333336%25%22%20height%3D%2227px%22%3E233%3C%2FTD%3E%0A%3CTD%20width%3D%2233.333333333333336%25%22%20height%3D%2227px%22%3E2048%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2233.333333333333336%25%22%20height%3D%2227px%22%3E128%3C%2FTD%3E%0A%3CTD%20width%3D%2233.333333333333336%25%22%20height%3D%2227px%22%3E283%3C%2FTD%3E%0A%3CTD%20width%3D%2233.333333333333336%25%22%20height%3D%2227px%22%3E3072%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2233.333333333333336%25%22%20height%3D%2227px%22%3E192%3C%2FTD%3E%0A%3CTD%20width%3D%2233.333333333333336%25%22%20height%3D%2227px%22%3E409%3C%2FTD%3E%0A%3CTD%20width%3D%2233.333333333333336%25%22%20height%3D%2227px%22%3E7680%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2233.333333333333336%25%22%20height%3D%2227px%22%3E256%3C%2FTD%3E%0A%3CTD%20width%3D%2233.333333333333336%25%22%20height%3D%2227px%22%3E571%3C%2FTD%3E%0A%3CTD%20width%3D%2233.333333333333336%25%22%20height%3D%2227px%22%3E15360%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESmaller%20key%20sizes%20result%20in%20smaller%20certificate%20size%20and%20less%20data%20usage%20for%20TLS%20handshake.%20This%20is%20particularly%20important%20for%20IoT%20devices%20due%20to%20their%20smaller%20profiles%20and%20memory%20(such%20as%20RTOS%20devices)%20and%20to%20support%20use%20cases%20in%20network%20limited%20environments%20(such%20as%20cargo%20ships%20and%20remote%20areas).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1304819434%22%20id%3D%22toc-hId-1304819434%22%3EIoT%20Hub%20results%3C%2FH2%3E%0A%3CP%3EWe%20ran%20some%20experiments%20for%20the%20ECC%20(256%20bits)%20vs.%20RSA%20(2048%20bits)%20certificates%20for%20this%20IoT%20Hub%20preview.%20We%20found%20that%20the%20TLS%20handshake%20data%20usage%20went%20from%20~4500%20bytes%20to%20~2700%20bytes%2C%3CSTRONG%3E%26nbsp%3B40%25%20less%3C%2FSTRONG%3E!%20Not%20only%20will%20you%20be%20getting%20the%20reduction%20on%20your%20bandwidth%20bills%2C%20the%20savings%20on%20battery%2C%20computation%20costs%2C%20and%20memory%20should%20not%20be%20overlooked.%20For%20example%2C%20in%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Frtos%2Foverview-rtos%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20RTOS%3C%2FA%3E%2C%20we%20saw%26nbsp%3B%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW180456753%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW180456753%22%3Ea%20possible%204KB%20reduction%20in%20TLS%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW180456753%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW180456753%22%3Estack%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW180456753%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW180456753%22%3Ememory%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW180456753%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW180456753%22%3Efootprint%20if%20ECC%20is%20used.%20Such%20a%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW180456753%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW180456753%22%3Ereduction%20is%20significant%20for%20a%20device%20with%20limited%20memory%20as%20it%20opens%20up%20the%20possibility%20of%20re-using%20that%20memory%20for%20other%20purposes%20not%20previously%20possible.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--502635029%22%20id%3D%22toc-hId--502635029%22%3EGetting%20started%3C%2FH2%3E%0A%3CP%3ETo%20get%20started%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EYou'll%20need%20to%20create%20a%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FIoTHubPreviewMode%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ebrand%20new%20IoT%20hub%20with%20preview%20mode%20enabled%3C%2FA%3E.%20This%20is%20temporary%20limitation%20-%20once%20we're%20out%20of%20preview%20it%20will%20be%20available%20to%20existing%20IoT%20hubs%20as%20well.%3C%2FLI%3E%0A%3CLI%3EFollow%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fiot-hub%2Fiot-hub-tls-support%23elliptic-curve-cryptography-ecc-server-tls-certificate-preview%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Eour%20docs%3C%2FA%3E%20to%20prefer%20ECDSA%20cipher%20suites%20in%20order%20to%20tell%20IoT%20Hub%20to%20present%20the%20ECC%20cert.%26nbsp%3B%3C%2FLI%3E%0A%3C%2FOL%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1943081%22%20slang%3D%22en-US%22%3E%3CP%3EPreview%20IoT%20Hub's%20new%20ECC%20cert%20to%20save%20on%20bandwidth%2C%20compute%2C%20and%20power%20during%20TLS%20handshake.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22jlianMSFT_0-1607028908282.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237595i8511B49088E01BDF%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22jlianMSFT_0-1607028908282.png%22%20alt%3D%22jlianMSFT_0-1607028908282.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1943081%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eazure%20iot%20hub%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eiot%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Esecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

Azure IoT Hub's Elliptic Curve Cryptography (ECC) server TLS certificate, also known as ECDSA certificate, is now in public preview. Compared to the normal RSA server cert, TLS handshake with ECC cert uses less data, is less computationally intensive, and is faster - all meaningful benefits to constrained IoT devices.

 

RSA vs ECC certificates

While offering equivalent cryptographic security to RSA certificates, ECC certificates use smaller key sizes. This following table (source: RFC 4492) shows the comparison between the approximate key sizes (in bits):

 

Symmetric ECC RSA
80 163 1024
112 233 2048
128 283 3072
192 409 7680
256 571 15360

 

Smaller key sizes result in smaller certificate size and less data usage for TLS handshake. This is particularly important for IoT devices due to their smaller profiles and memory (such as RTOS devices) and to support use cases in network limited environments (such as cargo ships and remote areas).

 

IoT Hub results

We ran some experiments for the ECC (256 bits) vs. RSA (2048 bits) certificates for this IoT Hub preview. We found that the TLS handshake data usage went from ~4500 bytes to ~2700 bytes, 40% less! Not only will you be getting the reduction on your bandwidth bills, the savings on battery, computation costs, and memory should not be overlooked. For example, in Azure RTOS, we saw a possible 4KB reduction in TLS stack memory footprint if ECC is used. Such a reduction is significant for a device with limited memory as it opens up the possibility of re-using that memory for other purposes not previously possible.

 

Getting started

To get started,

 

  1. You'll need to create a brand new IoT hub with preview mode enabled. This is temporary limitation - once we're out of preview it will be available to existing IoT hubs as well.
  2. Follow our docs to prefer ECDSA cipher suites in order to tell IoT Hub to present the ECC cert.