5 Practical Questions on EdDSA Answered
Signature algorithms play an essential role in securing token-based architecture. Ultimately, the choice of which algorithm is used to generate the signature will determine the security of the token. The more advanced and secure the algorithm, the higher the security of a token. Therefore, the EdDSA algorithm, which is faster and more secure than its predecessors, should become the choice for those who want to save time, money, and resources.
Below I outline answers to five practical questions about EdDSA that I've encountered while securing token-based architectures.
1. Why is EdDSA preferable to other algorithms, such as RSA and ECDSA?
It's known that RSA and ECDSA have their drawbacks. Among them are RSA's key size and ECDSA's known vulnerability to side-channel attacks.
EdDSA solves the problem of key size. Its key size is comparable to ECDSA, but it's faster and designed with performance in mind. EdDSA simply uses different mathematical operations in the background.
Although researchers have worked hard to present solutions to the problems regarding ECDSA, implementations do not always keep up. Therefore, it may be hard to evaluate whether a certain ECDSA implementation is secure.
EdDSA is a better choice because it's secure and uses smaller key sizes than RSA, but it is easier to implement than ECDSA.
2. What are the complications of using EdDSA?
EdDSA is a state-of-the-art signature algorithm standardized by RFC 8032 in 2017. Since it's relatively new, it understandably has more limited support from languages, libraries, and frameworks. For instance, EdDSA support is quite good in Java and JavaScript, but in .Net, it is still a challenge. Don't get discouraged, though — the work on EdDSA is ongoing.
3. Is EdDSA usable in Open Banking scenarios?
Current Open Banking regulations differ from country to country. Open Banking standards that follow FAPI still rely on FIPS and don't allow the use of EdDSA. However, it can be assumed that this will change in the future with the introduction of new specifications.
When your business or application is not affected by restrictions introduced by compliance requirements, then EdDSA is the best choice for signing tokens. EdDSA is not only secure but may help to improve the performance of a system without having to compromise security.
4. How urgent is it to adopt EdDSA?
We recommend switching to EdDSA as soon as possible. Even if it is not a go-to algorithm now, the benefits of EdDSA are obvious, and it will likely soon see greater adoption. So, it's good to be prepared for the future and adopt EdDSA now. It might require some time to get used to, but it will definitely make a difference in your system's security and potential development.
5. Can I use EdDSA in the Curity Identity Server?
Yes, the Curity Identity Server supports EdDSA out of the box (as of version 7.2). Only add an EdDSA key and start using it in the Token Issuer. There are some resources to help you along the way.
If you want to learn about EdDSA and signature algorithms in detail, make sure to check out these resources: