Re: [Cfrg] Actual security levels for IETF crypto

Benjamin Black <b@b3k.us> Tue, 28 October 2014 22:07 UTC

Return-Path: <b@b3k.us>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B319F1AD38C for <cfrg@ietfa.amsl.com>; Tue, 28 Oct 2014 15:07:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 53ZAH13zC_2I for <cfrg@ietfa.amsl.com>; Tue, 28 Oct 2014 15:06:56 -0700 (PDT)
Received: from mail-wg0-f53.google.com (mail-wg0-f53.google.com [74.125.82.53]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D5F41AD354 for <cfrg@irtf.org>; Tue, 28 Oct 2014 15:06:07 -0700 (PDT)
Received: by mail-wg0-f53.google.com with SMTP id b13so548067wgh.26 for <cfrg@irtf.org>; Tue, 28 Oct 2014 15:06:05 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=oNKSCaEpOwAyHkcNDJ0uT9Bfq8Yxk2Vh0HPWToZYBMI=; b=mIQx9WmL0sJ/u3CV2LApEt2co9zbT0lVhQ7koQf3a0CtJ15kf7K6QjJvHUEUT6pgDt 3mv9ji+rvU928ZlRs7Gllyiav/xr2NsIMuWWUfWgxc1T8A3L0+sLxLRdohyvvNthMZZ5 ybTp+/teTyP9IEWn9MU7EmbaKD0RmHSxvqb4cTvvxQts/z6XSmDaQkgI+p4dCGE2EYT0 oHMMhiXUU3/F/p8vnznG7EhNRW1fmRY7zNDCc7yZrsknbs6v6HkxGrBrGKWQB9LRWYiF w8oPcePG+SRd/Ut5y19HeZnymoSvPfenQUgtdSxHiGIOzwHWjAUNVYf893rTFfQ50O64 +KEQ==
X-Gm-Message-State: ALoCoQnnQoLQT4PGTe7hg7kSU1U7YZKlEGGzDiyZkpURdXCy9Gm083BaJZ83HiQrOeQNUDsnQ63f
X-Received: by 10.180.149.169 with SMTP id ub9mr8216869wib.73.1414533965812; Tue, 28 Oct 2014 15:06:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.217.14.70 with HTTP; Tue, 28 Oct 2014 15:05:45 -0700 (PDT)
In-Reply-To: <CACsn0cnKPEAoGtYqhL4DKF9CcKWAPRtGNz8SiZ27vRKMDCQu+w@mail.gmail.com>
References: <20141027053452.13077.qmail@cr.yp.to> <544E4832.8030600@cs.tcd.ie> <CACsn0cn_4r67SmR9t+HqBb8YfYXd_r7FPJAxGcue1NRWsf5GBw@mail.gmail.com> <544EE4F1.2070201@cs.tcd.ie> <CAMm+LwiakY0OyxLY4BCwqe8Nq5A-5fQmf_AMCtf8mSNap6S1Bg@mail.gmail.com> <CACsn0cmda=CjaKweFfpD=PxxkKAHKpmHa+y7QCjbD9zCfrZ6yQ@mail.gmail.com> <CA+Vbu7x7s-WCjEBFskDqp9hTxFbLfd2PtNg6JTY8XBLXUU5Frw@mail.gmail.com> <CACsn0cnKPEAoGtYqhL4DKF9CcKWAPRtGNz8SiZ27vRKMDCQu+w@mail.gmail.com>
From: Benjamin Black <b@b3k.us>
Date: Tue, 28 Oct 2014 15:05:45 -0700
Message-ID: <CA+Vbu7wXqB5TY9iJDVsiqw=5kspeUPUS2shTPXSC7kwZchh3+Q@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="001a11c38aea8e2d38050682dadb"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/K4_HU5CsCRTLJzs4RlbTEwGuzEA
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Actual security levels for IETF crypto
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Oct 2014 22:07:27 -0000

On Tue, Oct 28, 2014 at 1:02 PM, Watson Ladd <watsonbladd@gmail.com> wrote:

>
> On Oct 28, 2014 12:10 PM, "Benjamin Black" <b@b3k.us> wrote:
> >
> > There is a very long tail effect here. While many individuals might
> express performance as a reason for not deploying TLS, sites which
> represent the vast majority of HTTP and SMTP user traffic are few and
> universally deploy TLS. The performance concerns for such major services
> are more about cost reduction: faster curves means fewer servers to handle
> a given request rate (where connection setup is the dominant consumer of
> resources). There is no option to not deploy TLS because such services can
> buy more servers but they can't buy more trust.
>
> What's good about spending extra money?
>
You stated performance was the main concern slowing TLS deployment. That is
only true for small sites who represent a small fraction of TLS
connections. For large players, TLS is a given and performance is useful
for reducing COGS or improving latency (where latency again is interesting
because there is correlation between lower latency and more money).


>
> >
> > The amplification problems of DNSSEC are not related to the choice of
> cryptography. Regardless of signature algorithm, DNSSEC responses are
> significantly larger than requests, making them attractive for
> amplification attacks.
>
> This is unavoidable,  but RSA makes it worse.
>
Glad we agree. It is unavoidable, not caused by algorithm choice.


> >
> > DNSSEC did not use EC originally because 15+ years ago when it was
> designed EC was still young and the patent situation made such a move
> infeasible. RSA was prevalent, unencumbered, and implementations were fast.
> EC was specified for DNSSEC only within the last 5 years, yesterday in DNS
> deployment time, and for much of that time patent concerns persisted,
> further retarding adoption.
> >
>
> ECC was invented in 1986. Unlike RSA, the algorithm was not patented by
> its inventors. All of the patents were on implementation techniques, and
> none were required to implement. Picking RSA hasn't measurably speed DNSSEC
> adoption.
>
You are well aware the history of ECC for widespread industrial use starts
with SECG, which formed in 1998 and published SEC1 1.0 in 2000. RSA was
chosen at the time because it was the best available option. The speed of
adoption is unrelated to the algorithm choice in DNSSEC, except that
mandating ECC in 1999 (or 2004) would've precluded most deployment.

Are you seriously now arguing that patents on implementation techniques are
no big deal and people should just work around them? I recall the opposite
position being vigorously argued in the recent past.

> Furthermore,  if the cryptography was fast enough to apply to every
> packet, the design would look considerably different. As a result of slow
> signing, we got fast offline zone walking.
>
No idea what point you're making. You seem to be simultaneously suggesting
that current DNSSEC key sizes are somehow relevant and that DNSSEC itself
is garbage, a case study in how not to do it, and would be far better if
only they'd applied knowledge from 15 years in the future.

> >
> > "NIST P-256 is in the DNSSEC spec, and does fit in 500 bytes."
> >
> > ECDSA, and with it P256, was not specified for DNSSEC until 2012, in
> RFC6605. RFC4034, which updates the original DNSSEC specification, includes
> an ECC code point for signatures, but does not offer anything more and this
> code point was not used for either P256 or P384 based signatures.
> >
>
...


> This is a reason for using the same single measurement framework for all
> benchmarks. I could easily imagine a systematic 10% measurement error
> caused by differing overheads when measuring the same code.
>
> I don't think the claims are false. I think it's hard to compare
> measurements made different ways on different machines, which is why Mike
> Hamburg email above is as good as it gets, and with relatively little
> effort we could have much better data.
>
> But if we accept the numbers above, what does that say about NUMS vs.
> Other? It looks to me that for minor changes in security level or
> performance,  major gains in the other variable are possible.
>
Trustworthiness of the curves are also a consideration, though obviously
one not as easily measured as performance. That it is hard to measure or
not a serious concern for you does not invalidate its importance to many.


b