Re: [Cfrg] Actual security levels for IETF crypto

Watson Ladd <watsonbladd@gmail.com> Tue, 28 October 2014 06:29 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B592F1A00FC for <cfrg@ietfa.amsl.com>; Mon, 27 Oct 2014 23:29:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EmvsP6krowBs for <cfrg@ietfa.amsl.com>; Mon, 27 Oct 2014 23:29:45 -0700 (PDT)
Received: from mail-yk0-x22d.google.com (mail-yk0-x22d.google.com [IPv6:2607:f8b0:4002:c07::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74E621A00FE for <cfrg@irtf.org>; Mon, 27 Oct 2014 23:29:45 -0700 (PDT)
Received: by mail-yk0-f173.google.com with SMTP id 131so3709ykp.32 for <cfrg@irtf.org>; Mon, 27 Oct 2014 23:29:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=rg2Zp8aUzqkJjztyjAHjN/Wu2n9xPXnitTT5E3SLpN0=; b=ub52TsvunN1V79mmj7wSQ8Z5UUTwz5L+57vHUHBf7Rf9h/RtxcvRVhTGF2Z8FGwGVg NN+bTQR8ecPyYvfdGqqb2CdlIdiUK1LNpcvO3GJIU8kDNIhldLjyJAyu2pdhgsVe5gRl asRyyq4QXHOEkhyNk6F7t8oAhRltrecx0cjrR6ZruhtHn0iJAXhvNjIh2oAPUoEtAy2u 6joj72ltgCcO357LaG+Zxj+8jNJk6mUNLiihVT9PQx2qyzi3Vr6MMrWiACzP7LtRpxhc JjaHPK20LgCytRsXKg0EnWJjIyLTKCb783wrc3NST5EftUj3R1qBITvsqwFTte9MFqAt ty4g==
MIME-Version: 1.0
X-Received: by 10.170.209.206 with SMTP id a197mr1261646ykf.24.1414477784709; Mon, 27 Oct 2014 23:29:44 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Mon, 27 Oct 2014 23:29:44 -0700 (PDT)
In-Reply-To: <CAMm+LwiakY0OyxLY4BCwqe8Nq5A-5fQmf_AMCtf8mSNap6S1Bg@mail.gmail.com>
References: <20141027053452.13077.qmail@cr.yp.to> <544E4832.8030600@cs.tcd.ie> <CACsn0cn_4r67SmR9t+HqBb8YfYXd_r7FPJAxGcue1NRWsf5GBw@mail.gmail.com> <544EE4F1.2070201@cs.tcd.ie> <CAMm+LwiakY0OyxLY4BCwqe8Nq5A-5fQmf_AMCtf8mSNap6S1Bg@mail.gmail.com>
Date: Mon, 27 Oct 2014 23:29:44 -0700
Message-ID: <CACsn0cmda=CjaKweFfpD=PxxkKAHKpmHa+y7QCjbD9zCfrZ6yQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/MGcUVPmclQ3gUqzog9gZLrPg3t4
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Actual security levels for IETF crypto
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Oct 2014 06:29:47 -0000

On Mon, Oct 27, 2014 at 10:28 PM, Phillip Hallam-Baker
<phill@hallambaker.com> wrote:
>
> On Mon, Oct 27, 2014 at 8:36 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie>
> wrote:
>>
>>
>>
>> On 27/10/14 15:35, Watson Ladd wrote:
>> > Are you saying that DNSSEC isn't an IETF protocol? Or that we should
>> > only look at widely deployed protocols when determining how choices
>> > about what to deploy are made? Or that DNSSEC doesn't have the same
>> > "marketing issue" as TLS?
>>
>> None of the above. I was saying (only) that that extrapolation
>> is dodgy.
>>
>> If I measured a bunch of Dutch folks' heights, and assumed that
>> the average of those told me something about the average height
>> of a human I'd be making the same extrapolation mistake.
>
>
> A more apt comparison might be to try to measure average human height from a
> sample of Formula One drivers.
>
> There is a good reason folk choose a small key for DNS related work, the
> original protocol was limited to 500 bytes and quite a few bits of the
> Internet are still limited by the ancient ethernet MTU which isn't much
> bigger.

NIST P-256 is in the DNSSEC spec, and does fit in 500 bytes. (64 bytes
in fact). DNSSEC failed to select small keys with adequate security,
and instead selected medium size keys with poor security, for reasons
that are now irrelevant, and were probably bogus even then. But even
in the range of keys that do fit, people are not going to the maximum
possible security.

>
>
> Funny that someone would present this particular argument then accuse others
> of 'marketing' as if it was a bad thing.
>
> My actual argument was that the market is subject to a one-upmanship effect
> that tends to drive key sizes upwards. So if there is 384 and 512 on offer
> with the new curves, don't expect anyone to use 384.

But this didn't happen to 256 bit curves, which are still widely used
to protect TLS. It also didn't happen to 384 bit curves in PKIX: no
one is moving to 521 bit curves, in part because of compatibility
issues,  but also because of lack of demand.  It also hasn't happened
to RSA key sizes: the most popular key size on the web from Mozilla
telemetry is 2048 bits, with 4096 the next most popular, and the
ludicrously oversized 16384 virtually unseen in comparison.

It also hasn't happened to root certificates: Based on a cursory look
(because clicking through every CA preloaded on my Mac was too much) I
would say there are between 30-35 RSA 4096 certificates, compared to a
vast number of 2048 and 1024 bit certificates. (My favorite is the
MD2, 1024 bit RSA, root certificate)

Looking at Mozilla's list of included CAs tells a similar story: the
spreadsheet is avalible at
https://docs.google.com/spreadsheet/pub?key=0Ah-tHXMAwqU3dGx0cGFObG9QM192NFM4UWNBMlBaekE&amp;single=true&amp;gid=1&amp;output=html,
and shows limited effect of one-upmanship.

In fact, the removal of 1024 bit root keys broke a fair number of
websites, and was only completed in 2013.

We also have data from Internet-wide scans of servers.
http://cryptome.org/2013/11/ecc-practice.pdf for ECC. The most common
key size is 256, followed by 384, and lastly is 521. Sadly similar
breakdowns by keysize for a similar scan aimed at RSA and DSA host
keys does not appear to exist. I would be surprised if it actually
supported the hypothesis.

What evidence do you have that this one-upsmanship actually happens in
selecting key sizes?

Furthermore, even if a 384 bit options sees limited use, there is
little harm in including it. However, given that there are 480 bit
options offering better performance, why not pick those instead?
Similarly, if 512 bits would make you happy, why not an even faster
521 bit option? And why deny users who want a 384 bit option for
performance reasons the option to have a more satisfactory for them
balance between paranoia and practicality?

Sincerely,
Watson Ladd