IETF Logo Mail Archive

Re: [dnsext] I-D Action: draft-ietf-dnsext-dnssec-algo-imp-status-04.txt

Joe Abley <jabley@hopcount.ca> Tue, 12 March 2013 13:48 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2954021F8BD7 for <dnsext@ietfa.amsl.com>; Tue, 12 Mar 2013 06:48:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.929
X-Spam-Level:
X-Spam-Status: No, score=-99.929 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_IP_ADDR=1.119, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VIL2DWZJs8RO for <dnsext@ietfa.amsl.com>; Tue, 12 Mar 2013 06:48:02 -0700 (PDT)
Received: from mail-ie0-x231.google.com (mail-ie0-x231.google.com [IPv6:2607:f8b0:4001:c03::231]) by ietfa.amsl.com (Postfix) with ESMTP id 6E82621F8AC1 for <dnsext@ietf.org>; Tue, 12 Mar 2013 06:48:02 -0700 (PDT)
Received: by mail-ie0-f177.google.com with SMTP id 16so6432986iea.36 for <dnsext@ietf.org>; Tue, 12 Mar 2013 06:48:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer; bh=AzLDkBUAMXv6V6mxtLZMdC691QHuWPea1dZI6wX4EwM=; b=c27/t9qzOItByi+E2Dw2ubL9XpKzUTUP669vFbn711+hkJEDk5/GK/mdRNIZlp5x28 xBAJK2v/F+D09rD7TBKGWH0ld0xQvnW+KoheTRqwGFusZMKnuLWpr9d0n2I9bbQrtRIC 7cfchb8aYNItm8LuS8RHpnJuVKDiXA/wI5Tu0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=AzLDkBUAMXv6V6mxtLZMdC691QHuWPea1dZI6wX4EwM=; b=U2UYOVeHdLDqhkxrXtbFEr/8GOI63j+IWzvrNM5fC4g5gacJtRnDA7tV8fdQ55Yvog RdQrbsD6AyHt6CxkbscIupL8kP4PUeZJGQ7fy+O3nZLvtcnn/VgYSca2KojQ+K+3eOxb 8Jaq0FiKYuKAPSZ2zUWRcrP4Hoar54s61cFBTBtI/6LPtRibHyKpjs5qkSO9X83fhuF6 Y59tFvdpRlxDRsT+f1wgHG2pNcHukGHS1ojCLSAmvJJjEqoTXh/jMbhdH7P9cTTZwFlb PyLWfcDDGqzR87TjBrWI1amFAvzC6VyCHbz4fDAlQuz6C/HVMzlGBjprVNufEqwxLeqN uIvA==
X-Received: by 10.50.89.200 with SMTP id bq8mr11648340igb.58.1363096081993; Tue, 12 Mar 2013 06:48:01 -0700 (PDT)
Received: from [199.212.90.51] ([199.212.90.51]) by mx.google.com with ESMTPS id xe9sm19622880igb.7.2013.03.12.06.48.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 12 Mar 2013 06:48:01 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <20130312132705.GA39133@mx1.yitter.info>
Date: Tue, 12 Mar 2013 09:47:58 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <C2325C79-C3E7-42EC-93E3-5CDB586C7C51@hopcount.ca>
References: <20130311152035.4888.59295.idtracker@ietfa.amsl.com> <20130311191607.GF38303@crankycanuck.ca> <E99C99C9-73E1-43F8-B09E-B28CA138F526@hopcount.ca> <20130311194317.GA38441@crankycanuck.ca> <FBCCECBD-43DC-46F1-911F-B06ED43E10C3@hopcount.ca> <20130311201201.GD38441@mx1.yitter.info> <20130312132705.GA39133@mx1.yitter.info>
To: Andrew Sullivan <ajs@anvilwalrusden.com>
X-Mailer: Apple Mail (2.1499)
X-Gm-Message-State: ALoCoQkJJU0ZslmXlBcacd6AcC/1e4tlPXEoiwMlbzZ0FsqL8qhJogYKupFRUL6EP25xMDxVT7GI
Cc: dnsext@ietf.org
Subject: Re: [dnsext] I-D Action: draft-ietf-dnsext-dnssec-algo-imp-status-04.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2013 13:48:03 -0000

On 2013-03-12, at 09:27, Andrew Sullivan <ajs@anvilwalrusden.com> wrote:

> On Mon, Mar 11, 2013 at 04:12:01PM -0400, Andrew Sullivan wrote:
>> On Mon, Mar 11, 2013 at 04:01:04PM -0400, Joe Abley wrote:
> 
>>> English, in the RFC series. What is the reason for appearing to
>>> promote one over the other?
>> 
>> I don't know; that's what the WG said before. 
> 
> The reasoning in the draft behind recommending ECDSAP256SHA256 and
> ECDSAP384SHA384 and not GOST-ECC is that the former two "may see
> widespread use".

To give the quote more context, the draft says that the former two "may see widespread use due to the perceived similar level of security offered with smaller key size compared to the key sizes of algorithms such as RSA." The prediction of widespread use is based on a presumed advantage that smaller key sizes are good.

There's no citation for the cryptographic strength (perceived or otherwise) of ECDSAP256SHA256 or ECDSAP384SHA384 relative to the other "recommended" algorithms, i.e. RSASHA256, RSASHA1-NSEC3-SHA1 or RSASHA512.

RFC 6605 has this to say:

   Current estimates are that ECDSA with curve P-256 has an approximate
   equivalent strength to RSA with 3072-bit keys.  Using ECDSA with
   curve P-256 in DNSSEC has some advantages and disadvantages relative
   to using RSA with SHA-256 and with 3072-bit keys.  ECDSA keys are
   much shorter than RSA keys; at this size, the difference is 256
   versus 3072 bits.  Similarly, ECDSA signatures are much shorter than
   RSA signatures.  This is relevant because DNSSEC stores and transmits
   both keys and signatures.

which adds more detail, but also omits citations (beyond "current estimates"). I didn't look very hard, but I couldn't find a comparison between GOST R.34.10-2001 and RSA/SHA256.

In both ECDSA and GOST-ECC a public key Q = (x, y) is represented in DNSSEC as the concatenation x | y. 

In GOST R.34.10-2001 and ECDSA/P-256, the wire encoding is specified as 32 bytes for each of x and y, giving an encoded public key size of 512 bytes.

In ECDSA/P-384, the wire encoding is specified as 48 bytes for each of x and y, giving an encoded public key size of 768 bits.

Based purely on the motivation to reduce the key size (given that no citations are given for either ECDSA or GOST-ECC with respect to cryptographic strength relative to other algorithms) it seems that GOST-ECC has the same advantages as ECDSA/P-256 and is better than ECDSA/P-384.

> Does anyone have an argument that ECC-GOST also
> falls into that category?

Arguments about possible future widespread use are difficult to justify. Counter-examples (alg A is more likely to see use than alg B because A is encumbered, or is computationally expensive, or something) seem slightly easier to come up with. But since ECDSA and GOST-ECC are fundamentally so similar, it seems odd to me to treat them differently.

The only practical difference between ECDSA and GOST-ECC is where they were developed and standardised, and (once again) I think it'd be unfortunate if there was the perception that the GOST-specified algorithm was being under-promoted purely for geopolitical reasons.


Joe

v2.23.0 | Report a Bug | By Email