Re: [DNSOP] Whiskey Tango Foxtrot on key lengths...

Nicholas Weaver <nweaver@icsi.berkeley.edu> Tue, 01 April 2014 13:05 UTC

Return-Path: <nweaver@icsi.berkeley.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B0841A06FF for <dnsop@ietfa.amsl.com>; Tue, 1 Apr 2014 06:05:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.611
X-Spam-Level:
X-Spam-Status: No, score=-1.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5-i6dH-sbzRF for <dnsop@ietfa.amsl.com>; Tue, 1 Apr 2014 06:05:26 -0700 (PDT)
Received: from rock.ICSI.Berkeley.EDU (rock.ICSI.Berkeley.EDU [192.150.186.19]) by ietfa.amsl.com (Postfix) with ESMTP id 881F21A0708 for <dnsop@ietf.org>; Tue, 1 Apr 2014 06:05:26 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id 5D23A2C4023; Tue, 1 Apr 2014 06:05:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ICSI.Berkeley.EDU
Received: from rock.ICSI.Berkeley.EDU ([127.0.0.1]) by localhost (maihub.ICSI.Berkeley.EDU [127.0.0.1]) (amavisd-new, port 10024) with LMTP id DWkuaiZAWtNo; Tue, 1 Apr 2014 06:05:20 -0700 (PDT)
Received: from [10.0.1.22] (c-76-103-162-14.hsd1.ca.comcast.net [76.103.162.14]) (Authenticated sender: nweaver) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id 529F62C400B; Tue, 1 Apr 2014 06:05:20 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_7AB08333-28B2-49DA-BD79-FF2ED3244C6F"; protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Nicholas Weaver <nweaver@icsi.berkeley.edu>
In-Reply-To: <102C13BE-E45E-437A-A592-FA373FF5C8F0@ogud.com>
Date: Tue, 1 Apr 2014 06:05:20 -0700
Message-Id: <474B0834-C16B-4843-AA0A-FC2A2085FEFB@icsi.berkeley.edu>
References: <0EA28BE8-E872-46BA-85FD-7333A1E13172@icsi.berkeley.edu> <53345C77.8040603@uni-due.de> <B7893984-2FAD-472D-9A4E-766A5C212132@pch.net> <102C13BE-E45E-437A-A592-FA373FF5C8F0@ogud.com>
To: =?iso-8859-1?Q?=D3lafur_Gu=F0mundsson?= <ogud@ogud.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/74RwWcpv4yNcuzjIDkvnh3MnQZI
Cc: dnsop@ietf.org, Nicholas Weaver <nweaver@icsi.berkeley.edu>, =?iso-8859-1?Q?Matth=E4us_Wander?= <matthaeus.wander@uni-due.de>, Bill Woodcock <woody@pch.net>
Subject: Re: [DNSOP] Whiskey Tango Foxtrot on key lengths...
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Apr 2014 13:05:28 -0000

On Apr 1, 2014, at 5:39 AM, Olafur Gudmundsson <ogud@ogud.com> wrote:
> 
> Doing these big jumps is the wrong thing to do, increasing the key size increases three things:
> 	time to generate signatures  
> 	bits on the wire
> 	verification time. 
> 
> I care more about verification time than bits on the wire (as I think that is a red herring).
> Signing time increase is a self inflicted wound so that is immaterial. 
> 
>                  sign    verify    sign/s verify/s
> rsa 1024 bits 0.000256s 0.000016s   3902.8  62233.2
> rsa 2048 bits 0.001722s 0.000053s    580.7  18852.8
> rsa 4096 bits 0.012506s 0.000199s     80.0   5016.8
> 
> Thus doubling the key size decreases the verification performance by roughly by about 70%. 
> 
> KSK's verification times affect the time to traverse the DNS tree, thus 
> If 1024 is too short 1280 is fine for now
> If 2048 is too short 2400 bit key is much harder to break thus it should be fine. 
> 
> just a plea for key use policy sanity not picking on Bill in any way.

NO!  FUCK THAT SHIT.  Seriously.

There is far far far too much worrying about "performance" of crypto, in cases like this where the performance just doesn't matter!

Yes, you can only do 18K verifies per CPU per second for 2048b keys.  Cry me a river.  Bite the bullet, go to 2048 bits NOW, especially since the servers do NOT have resistance to roll-back-the-clock attacks.



In a major cluster validating recursive resolver, like what Comcast runs with Nominum or Google uses with Public DNS, the question is not how many verifies it can do per second per CPU core, but how many verifies it needs to do per second per CPU core.

And at the same time, this is a problem we already know how to parallelize, and which is obscenely parallel, and which also caches...

Lets assume a typical day of 1 billion external lookups for a major ISP centralized resolver, and that all are verified.  Thats less 1 CPU core-day to validate every DNSSEC lookup that day at 2048b keys.  

And yeah, DNS is peaky, but that's also why this task is being run on a cluster already, and each cluster node has a lot of CPUs.


--
Nicholas Weaver                  it is a tale, told by an idiot,
nweaver@icsi.berkeley.edu                full of sound and fury,
510-666-2903                                 .signifying nothing
PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc