public abstract class EcdsaSignature extends DigitalSignature
ECDSA is a digital signature algorithm based on elliptic curve cryptography. It is the elliptic curve analog of the DSA signature algorithm. ECDSA is defined in the ANSI X9.62-2005 and NIST FIPS 186-3 standards.
Before an EC key (public or private) is used, the EC domain parameters it
contains are first validated; for additional details on the EC domain
parameter validation routine, refer to EcParameterFactory. Before the result of a cryptographic operation involving
an EC public key is returned, the public key is first validated; for
additional details on the EC public key validation routine, refer to
EcPublicKey.
This implementation supports curves in Fp (prime curves). For a
list of the named curves that are supported, refer to
EcParameterFactory. Point compression is not
supported.
The following key types are currently supported:
java.security.interfaces.ECPublicKey or
java.security.interfaces.ECPrivateKey.ECDSAPublicKey
or ECDSAPrivateKey.EcConfinedPrivateKey.TokenECPrivateKey.When the signature algorithm is initialized with a key, an appropriate underlying ECDSA algorithm implementation is automatically selected based on the type of key passed in.
One of the benefits of EC cryptography is that it is able to offer that same amount of security as RSA with much smaller key sizes. The following table compares the security offered by the RSA and EC cryptosystems (information is derived from NIST SP 800-57):
Bits of Security
| RSA Key Size (in bits)
| EC Key Size (in bits)
| |
| 80 | 1024 | 160-223 |
| 112 | 2048 | 224-255 |
| 128 | 3072 | 256-383 |
| 192 | 7680 | 384-511 |
| 256 | 15360 | 512+ |
Another important aspect of EC is that performance scales well as the key size is increased. At current security levels (80-bits), EC does not offer a performance advantage over RSA. However, as requirements for increased keys sizes are introduced, EC does begin to offer performance advantages over RSA. NIST has recommended that by 2010, systems using RSA should migrate from 1024-bit keys to 2048-bits keys. At this security level, the performance advantage of EC begins to become more apparent, especially during key generation and private key operations.
An ECDSA digital signature algorithm instance can be obtained using the Java
Cryptography Architecture (JCA), by requesting the
'<digestAlgorithm>withECDSA' algorithm from the
Entrust cryptographic
service provider. This can be done using the following call:
Signature.getInstance("<digestAlgorithm>withECDSA", "Entrust");
| Modifier and Type | Method and Description |
|---|---|
protected com.entrust.toolkit.security.crypto.signature.DigitalSignatureImpl |
getDigitalSignatureImpl(java.lang.String implClassName)
Instantiates the internal signature algorithm implementation from the
indicated class.
|
assertParametersValid, engineGetParameter, engineGetParameters, engineInitSign, engineInitSign, engineInitVerify, engineSetParameter, engineSetParameter, engineSign, engineSign, engineUpdate, engineUpdate, engineVerify, engineVerify, generateDefaultParameters, getDigest, getPrng, toAlgorithmParametersprotected final com.entrust.toolkit.security.crypto.signature.DigitalSignatureImpl getDigitalSignatureImpl(java.lang.String implClassName)
throws java.lang.RuntimeException
DigitalSignatureThis API is necessary so that the signature algorithm implementation classes can exist in a different package and not require public constructors.
getDigitalSignatureImpl in class DigitalSignatureimplClassName - the name of the class for the signature algorithm
implementationjava.lang.RuntimeException - if the signature algorithm implementation could not be
instantiated