Now that you understand digital signatures conceptually, let’s look at the three signature algorithms you’ll encounter in TLS. Each one uses different math to achieve the same goal: proving that a message was signed by the holder of a specific private key.
RSA is the oldest and most widely deployed signature algorithm. It was published in 1977 and is still used in a huge number of certificates today.
RSA signatures work exactly as described in the previous chapter: hash the message, encrypt the hash with the private key. Verification decrypts the signature with the public key and compares hashes.
RSA key sizes for signatures:
The main downside of RSA is key size. A 2048-bit RSA key is 256 bytes. A 4096-bit key is 512 bytes. These larger keys mean larger certificates, larger handshake messages, and slower signature operations.
RSA signatures come in two padding schemes:
ECDSA (Elliptic Curve Digital Signature Algorithm) uses elliptic curve math instead of the large-number factoring that RSA relies on. The result: much smaller keys and signatures for the same security level.
| Security Level | RSA Key | ECDSA Key |
|---|---|---|
| 128-bit | 3072 bits | 256 bits |
| 192-bit | 7680 bits | 384 bits |
| 256-bit | 15360 bits | 521 bits |
A 256-bit ECDSA key provides the same security as a 3072-bit RSA key. The signature is also much smaller. This means smaller certificates, faster handshakes, and less bandwidth.
ECDSA is widely supported and is the most common signature algorithm in modern TLS certificates. The most common curve is P-256 (secp256r1).
One quirk of ECDSA: it requires a random number during signing. If the random number generator is flawed or reused, the private key can be recovered. This has caused real-world key compromises (notably in the PlayStation 3 hack and some Bitcoin wallet implementations).
EdDSA is the newest of the three. It’s based on a specific type of elliptic curve called a twisted Edwards curve. The most common variant is Ed25519, which uses Curve25519.
EdDSA was designed to fix the problems with ECDSA:
Ed25519 key size: 256 bits (32 bytes). Signature size: 512 bits (64 bytes).
EdDSA support in TLS is growing. TLS 1.3 supports Ed25519 and Ed448. Many newer systems prefer it, but RSA and ECDSA still dominate in deployed certificates because of the massive existing infrastructure.
For new deployments:
For TLS specifically, the signature algorithm is determined by the certificate. If your certificate has an RSA public key, the server uses RSA signatures. If it has an ECDSA key, it uses ECDSA signatures. You choose the algorithm when you generate the key pair and request the certificate.
Most CAs support both RSA and ECDSA certificates. Let’s Encrypt, for example, issues both. Some servers are configured with two certificates (one RSA, one ECDSA) and choose based on what the client supports.
In the TLS handshake, signatures appear in two places:
In TLS 1.2, the signature algorithm for handshake messages is
negotiated as part of the cipher suite. In TLS 1.3, it’s negotiated
separately through the signature_algorithms extension,
which gives more flexibility.
Now that we have the full crypto toolbox (hashing, symmetric encryption, asymmetric encryption, key exchange, and signatures), we’re ready to see how these pieces combine into cipher suites and the TLS handshake. For a deep dive on how certificates and CAs use these signature algorithms to build trust, see PKI From First Principles.
Next: What Is a Cipher Suite?