Secure and Light Weight Elliptic Curve Cipher Suites in SSL/TLS

In the current circumstance, e-commerce through an online banking system plays a significant role. Customers may either buy goods from E-Commerce websites or use online banking to move money to other accounts. When a user participates in these types of behaviors, their sensitive information is sent to an untrustworthy network. As a consequence, when transmitting data from an internal browser to an external E-commerce web server using the cryptographic protocol SSL/TLS, the E-commerce web server ensures the security of the user’s data. The user should be pleased with the confidentiality, authentication, and authenticity properties of the SSL/TLS on both the user’s web browser and the remote E-commerce web server. E-Commerce web servers should choose the best SSL/TLS cipher suites for negotiating the user in order to attain such optimistic scenarios, as the cipher suite used in SSL/TLS plays an important role in securing E-Commerce web servers. The paper primarily focuses on analyzing the SSL/TLS cipher and elliptic curves. The paper also recommends the best elliptic curve cipher suites for E-Commerce and online banking servers, based on their power consumption, handshake execution time, and key exchange and signature verification time.


Introduction
The internet is the most important and fundamental component of any trending technology. E commerce plays a critical role in today's technological evolution, making significant contributions to e-shopping and online banking. Since the application is configured to access the web server via a web browser using the SSL/TLS protocol, such e-commerce applications rely on unauthorized web browsers. Confidentiality, integrity, and authentication should all be preserved in the information/communication flow between the web server and the web browser. Various cryptographic methods, which are broadly known as symmetric and asymmetric algorithms, may be used to ensure certain security parameters in the framework. Despite the fact that these algorithms are used in various OSI layers, the paper focuses on the security to be implemented in the application and transport layers, as online banking and e-shopping applications use SSL/TLS in the transport layer to migrate the most confidential data. SSL/TLS protection is achieved by combining symmetric and asymmetric algorithms. TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA256, also known as Cipher Suite, is a common security technique for securing communication [1]. The Cipher Suite As shown in Fig. 2, the TLS handshake protocol is perhaps the most important step in establishing safe communication between a web browser and a web server. The handshake protocol is in charge of three main tasks: cipher suite negotiation, server authentication, and client and session key agreement and exchange.
i) The client sends the initial HELLO packet, which contains the SSL/TLS version, random bytes, cipher suites, compression algorithms, and extensions tags, in order to evaluate the handshake protocol. ii) After receiving the client's encrypted HELLO packet, the server responds with a HELLO packet containing random bytes, cipher suits, compression algorithms, and extensions tags. iii) After sending the HELLO packet successfully, the server will send the CERTIFICATE command and the HELLO DONE packet to the client in that order. iv) If the server requests it, the client will give the CERTIFICATE command. v) The client then generates a random pre-master secret key and sends it to the server in an encrypted format, using the same public key that was used to encrypt the CERTIFICATE. vi) Based on the pre-master secret key generated and shared by the client, the server and client each generate a Master secret key and a session key. vii) The server and client each generate a Master secret key and a session key based on the pre-master secret key created and shared by the client. viii) Finally, both the client and the server exchange a FINISH packet to indicate the start of record layer communication.
The record layer is responsible for managing of securely transmitting data in a tightly encrypted format. The record layer secures communication by segmenting incoming data into 64-bit, 128-bit, or 256-bit segments, depending on the symmetric algorithms (block cipher and Stream cipher algorithms) used for encryption. The record layer uses MAC algorithms to ensure the confidentiality of the data segments after receiving the encrypted segments at the receiving. SSL/TLS protocol seems to be the most commonly used protection mechanism, and cipher suites are the most common. The Cipher suite has four main features: key exchange algorithms, authentication algorithms, encryption algorithms, and message authentication code algorithms. The Key Exchange Algorithms are responsible for secure key exchange between the sender and recipient (say Client and Server). RSA, DH, ECDH, and ECDHE are some of the most widely used key exchange algorithms in the cipher suite. RSA, DSA, and ECDSA are used in the authentication algorithms to ensure the sender and receiver's authenticity. Encryption algorithms are used to encrypt data transmitted between a web browser and a web server using encryption algorithms such as AES and DES. Using MD5, SHA1, SHA256, SHA384, and POLY1305, the Message Authentication Code algorithm guarantees the integrity constraints on both. SSL 3.0 Cipher suites began with the SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_RSA_WITH_DES_CBC_SHA, and SSL_DHE_DSS_WITH_DES_CBC_SHA specific suites [6]. Cipher Block Chaining (CBC) is the most common technique used in all cipher suites that have evolved.
The key flaw in these CBC techniques is the poodle attack, which causes SSL 3.0 to break. The poodle attack was made possible by the encrypted initialization vector (IV) used in the chaining phase in CBC, which was implemented using the DES algorithm and kept 2 56 combinations for the attacker [7]. TLS 1.0, the cipher suite used in this suite, is very similar to SSL 3.0, but without the issues that SSL 3.0 has. This was achieved by altering the encryption method used to encrypt the Initialization vector. The modification was based on a better implementation of symmetric algorithms, such as AES to IV, which gives the intruder a combination of 2 128 , 2 192 , and 2 256 combinations. However, the cipher suite in TLS 1.0 was also prone to a poodle attack as well as a BEAST attack [8]. By replacing the implicit initialization vector with an explicit initialization vector, the cipher suite built for TLS 1.1 protected against all CBC attacks. TLS1.2 is the cipher suite used for the majority of today's web browsers and websites. The elliptic curves cryptographic techniques for exchanging keys and authenticating end users/browser/server are a significant and notable implementation of TLS1.2 that promises security problems in our day-to-day security issues. MD5/SHA1, which was used in TLS1.1 to verify the message's integrity, was replaced with SHA256, SHA384, and HMAC SHA 256 to enhance the message's integrity even further. The encryption algorithm used in TLS 1.2 is AES_GCM and AES_CCM. The best cipher suites of TLS 1.2 are TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. TLS 1.3 is still under draft with much advancement like choosing a safe elliptic curves and safe primes [9]. The progress is also aided by the removal of older authentication algorithms such as MD5 and SHA224, as well as key exchange algorithms such as DH, ECDH, and ECDHE. The cipher suite also includes the CHACHA20 stream cipher with POLY1305, a new authentication encryption technique [10]. To ensure authentication, the Edwards curve digital signature algorithm (EdDSA) Ed25519 and Ed448 are used [11]. For key exchange, the suite employs Curve X25519 and Curve X448 [12]. In addition, TLS 1.3, the RTT value is reduced to 1 RTT, while in TLS 1.2, the RTT value is reduced to 2 RTT for negotiating the handshake operations between the web server and the web browser. When the same web site is accessed for the second time, a 0 RTT delay is guaranteed. TLS 1.3 uses the AEAD system, which combines the key exchange, authentication, and message authentication processes into a single handshake. The calculation time involved in the handshake process would be reduced as a result of this.

POODLE (Padding Oracle On Downgraded Legacy Encryption) attack, BEAST (Browser Exploit
Against SSL/TLS) attack, CRIME (Compression Ratio Info Leak Made Easy) attack, BREACH (Browser Reconnaissance And Exfiltration Via Adaptive Compression Of Hyper Text) [13], Heart Bleed [14], Downgrade attack [15], Lucky13 attack [16] and RC4 attack [17] are some of the most popular SSL/TLS attacks. Any e-banking or e-commerce website that uses SSL/TLS communication will be subject to attacks due to the issue of using older versions of SSL/TLS in the web browser without upgrading it to the newer SSL/TLS versions adopted by the web server.
In their blog, Daniel Bernstein and Tanje Lange discuss secure curves and several principles for selecting curves for use in elliptic curve cryptography (ECC). Safe curves' review of norms and official documents shows that elliptic curve discrete logarithm (ECDLP) problem security is difficult, but not ECC security. According to Daniel Bernstein and Tanje Lange, elliptic curves designed to be ECDLP safe only if the attacker does not breach ECDLP's protection by producing incorrect results for certain unusual curve points, leaking secret data when the input is not a curve point, and leaking secret data through branch and cache timing attacks. As a result, the authors claim that none of these requirements do a good job of ECC security, which is applicable to ECDLP security. The author proposed new elliptic curves, which achieve improved protection and efficiency in ECC and ECDLP, based on a notable problem in ECC security, as shown in Tab. 1.
Different elliptic curves from previous standards were evaluated by Daniel Bernstein and Tanje Lange based on the following security conditions, curve parameters, ECDLP security, and ECC security. The secure curve security specifications are divided into three categories: a) Basic curve parameters, b) ECDLP security, and c) ECC security.

Analysis of Cipher Suites
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 and TLS_ECDHE_RSA_WITH_AES_ 128_GCM_SHA256 are the most common cipher suites now used in e-commerce and online banking. A series of key exchange algorithms, authentication algorithms, encryption algorithms, and MAC algorithms were used to create this. TLS_RSA_WITH_AES_128_GCM_SHA256 was the first cipher suite in the TLS 1.2 cipher suite. The evolution of cipher suites from the simple adapted cipher suite is depicted in Fig. 3 [18].  For their hidden session key encryption, SSL and TLS used the RSA algorithm when they first began protecting the web browser and web server. When selecting a powerful or safe prime number, this RSA uses a modular exponential approach in which the factors are difficult to identify. This is due to the fact that when selecting a strong prime number, the bits of representation begin at 2048 bits for the lowest strong prime number, ensuring greater confidentiality. While 2048 bits is a good number for ensuring privacy, it can be hacked with enough effort. As a result, attempts were made to enhance confidentiality at this stage of leakage. As a result, RSA changed the lowest strong prime number representation to 3072 [19]. The issue that arose was the memory requirement for storing the key, which was an even bigger issue for mobile devices. Even though several theoretical attacks are possible in RSA, the realistic timing attack should be more concerned because it can fully break the communication mechanism [20]. The timing attack is also known as known cipher text attack/side channel attack because of its operation.
In the key exchange component, RSA was replaced by Diffie Hellmen (DH) to ensure the authentication of the key exchange between the web browser and the web server [21]. The DH is more immune to mathematical and timing attacks because it employs the discrete logarithmic method (DLM). While the defendant's attack plan has been improved, the memory requirement problem remains a flaw. TLS_DH_RSA has big issues with LogJam attacks and Freak [22]. The DLP is to compensate for this log jam attack [23,24]. The main issue in DH is that the past session key may be compromised in the future. TLS_DHE_RSA (Ephemeral DH or DHE) includes Forward Secrecy (FS) methods to eliminate this issue [25]. For each session, the FS generates a unique session key (as decided by the Web Server).
Given the shortcomings of previous cipher suites, especially the time and memory requirements, TLS 1.2 was designed to include Elliptic curve cryptography, which included elliptic curve (EC) in their cipher suites for improved security in e-commerce applications, as shown in Fig. 4. The ECC is based on the ECDH system for TLS1.2 [26]. The DLP is the most difficult problem in this ECDH.
The basic ECDH is based on DH with a static key exchange. When comparing ECDH and ECDHE, ECHDE generates unique keys for each session, and the same key is never generated twice. The ECDHE has a drawback known as the Elliptic Curve Discrete Logarithm Problem (ECDLP), which TLS 1.1 failed to satisfy [27]. Despite this forward secrecy advantage, the ECDHE has a drawback known as the Elliptic Curve Discrete Logarithm Problem (ECDLP) [28]. The ECDLP issue is caused by the Discrete Logarithm (DL) being broken using the baby-step, giant-step, and Pollard-Rho methods [28]. The ECDSA technique uses a digital signature algorithm to provide authentication. DSA is an asymmetric algorithm that uses an elliptic curve to ensure web server and browser authentication. This is based on the Discrete Logarithmic process, which ensures a security level of 2 80 . As all the current e-commerce application and online banking servers rely on elliptic curves, this paper deals in analyzing the various elliptic curves and their implications.
An Elliptic curve, E over a value k can be defined as follows [29] 1. A non-singular projective plain curve E over k of degree 3, together with a point O belongs to E (k). 3. A non-singular projective plain curve over k of the form as specified as Eq. (1), 4. A non-singular projective curve E of genus 1 together with the point of O belongs to E k Any elliptic curve over a finite field can be classified as an elliptic curve over GF (P) or an elliptic curve over GF (2m). Three subcategories of elliptic curves can be formed using the standard elliptic curve equation: Weierstrass curve Eq. (2), Montgomery curve Eq. (3) and Edwards curve Eq. (4). These equations take the form, where 4a 3 þ 27b 2 is non-zero, where bða 2 À 4Þ is non-zero and In order to provide more security in e-commerce and online banking servers while also requiring less processing time, CPU cycles, and memory bandwidth, the applications must choose a better elliptic curve based on the properties of the three curves mentioned above. According to the NIST standard, any point of order n can be used as the starting point. A sample base point G is given for each curve (Gx, Gy). In light of this definition, users may wish to select their own base points in order to maintain cryptographic separation. Tab. 2 specifies the random elliptic curve domain parameters over secp256r1.
Due to the various parameters in curve secp256r1, e-commerce applications now typically append SECP256r1 or NIST P256 in a random prime field curve that was built from the base of a short Weierstrass curve that relies on elliptic curve over GF (P).
Using the Montgomery ladder and the NIST P256 curve (secp256r1), we can perform fast scalar multiplication and addition. Pollards Rho can achieve this SECG256R1 curve, but it is 2 128 times more challenging. Reliable internet transmission using the TLS_ECDHE_ECDSA cipher suite for key exchange and authentication using P256 or Secp256r1. The e-commerce framework and web browser should drift away from this normal curve. Most webservers and web browsers that use TLS 1.3 use Curve 25519 to perform key exchange in security protocols with maximum efficiency. The curve uses the Table 2: Domain parameters of Secp256r1 P= 2 224 (2 32 -1) + 2 192 + 2 96 The curve E: y 2 ¼ x 3 þ ax þ b mod p over F P defined by: a = FFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF FFFFFFFF FFFFFF b = 5AC635D8 AA3A93E7 B3EBBD55 769886BC 651D06B0 CC53B0F6 3BCE3C3E 27D260 seed S = C49D3608 86E70493 6A6678E1 139D26B7 819F7E G = 04 6B17D1F2 E12C4247 F8BCE6E5 63A440F2 77037D81 2DEB33A0 F4A13945 D898C296 4FE342E2 FE1A7F9B 8EE7EB4A 7C0F9E16 2BCE3357 6B315ECE CBB64068 37BF51 n = FFFFFFFF 00000000 FFFFFFFF FFFFFFFF BCE6FAAD A7179E84 F3B9CAC2 FC632551 h = 01 prime field of this curve is P ¼ 2 255 À 19 and the curve used is Montgomery curve, y 2 ¼ x 3 þ 486662x 2 þ x. This is due to the fact that Curve 25519 is a de-facto P256 that is used in a variety of applications. This curve has a number of benefits, including the lack of timing attacks, the use of short hidden keys (32 bytes) and short public keys (32 bytes), and the fact that it is based on free key validation. The twisted Edwards curve used in the Ed25519 signature scheme is bi-directionally equivalent to the Curve 25519 for key exchange. For signature verification, the security of curve Ed25519 is 2 200 , while curve X25519 is 2 128 .

Implementation and Results
The output of various elliptic curve cipher suites that help forward secrecy is examined in this section. The goal of the research was to determine the amount of energy used by the client and server during initial data transmission during elliptic curve key exchange and signature verification. The effects of various elliptic curve handshake methods, as well as their power consumption, are shown in Fig. 5. Curve 25519/Ed25519 outperforms other elliptic curves used in TLS 1.2 cipher suites, according to the results. Curve25519/Ed25519 also outperforms in TLS 1.3 cipher suites during the handshake process between the client browser and the web server, according to the results. The above result shows that curve25519/Ed25519, which uses elliptic curves, outperforms secp256r1 and RSA on both the client and server sides, as well as achieving security 2 128 . The number of CPU cycles spent on different elliptic curves used to exchange the key between the web browser and the web server are shown in Fig. 6. The curve25519 used in ECDHE/EdDSA performs well in contrast to other elliptic curves used in ECDHE/ECDSA and ECDHE/RSA in TLS 1.2 and TLS 1.3 cipher suites based on different elliptic curve operations. When comparing TLS 1.3 cipher suites to TLS 1.2 cipher suites, the curve25519/Ed25519 provides better CPU cycles operations.
The product of handshake completion time of various elliptic curves used in TLS 1.2 and TLS 1.3 cipher suites is shown in Fig. 7. Curve25519/Ed25519 and secp256r1 are elliptic curves that are used for different elliptic curve equations and perform the handshake process between the web browser and the web server. As compared to other elliptic curves used in TLS 1.2 cipher suites that also achieve the security of 2 128 , curve25519/Ed25519 performs better. ECDHE/EdDSA also performs well in both TLS 1.2 and TLS 1.3 cipher suites, according to the results.   Fig. 8 shows the performance of ECDSA signing, ECDSA verify, EdDSA signing, EdDSA verify, and ECDHE compute key. Higher is better for key compute, signature signing, and verification of all elliptic curves in TLS 1.2 and TLS 1.3 cipher suites, according to the results of various elliptic curves. The above findings show that in TLS 1.2 and TLS 1.3 cipher suites, curve25519/Ed25519 using key compute and signature signing and verification outperforms secp256r1and RSA key compute and signature verification.

Conclusion
The best type of elliptic curve to choose, computations used for the curves, and base point to fix on curves for better security results in e-commerce applications were all investigated in this paper. Standard Elliptic curves are used in e-commerce applications, such as 1) curves over prime fields GF(P) -P-192, P-224,P-256,P-384,P-521. 3) Curve25519/Ed25519 2) Secp256r1. Since bulk encryption (symmetric cipher) currently operates only on AES 128 and the bit values specify better application protection, Secp256r1 and Curve25519 is the prime curve that is commonly used in most e-commerce and online banking. Also, at 2 128 , the curves Secp256r1 and Curve25519 will provide better security against  Pollard's Rho method, but bulk encryption (symmetric cipher) will use AES 128. When it comes to curves, since prime curves are faster on general-purpose CPUs and use a Giant integer multiplier circuit, the Montgomery curve is the most recently used curve for SSL/TLS, and it provides better security 2 128 . The Montgomery curves X25519 and secp256r1 are considered the fastest curves in ECC since they compute the points on the EC using the Montgomery ladder (constant time computation) rather than the point multiplication method used in the short Weierstrass curve. As it takes the form of a Montgomery curve, like Montgomery ladder, the Twisted Edwards curve, such as Ed25519, can be considered one of the fastest curves (mixed addition and mixed differential addition). After evaluating the results based on the above elliptic curves, it was determined that the curve25519/Ed25519 outperforms all other curves used in most E-commerce and online banking servers in TLS 1.2 and TLS 1.3 cipher suites in the performed and evaluated results. As a result, curve25519/Ed25519 is recommended as one of the best elliptic curves in the TLS 1.2 and TLS 1.3 cipher suites used in E-commerce and online banking servers.