Re: [stir] Choice of STIR signature algorithm

Richard Shockey <richard@shockey.us> Tue, 05 April 2016 20:46 UTC

Return-Path: <richard@shockey.us>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F08E812D9EC for <stir@ietfa.amsl.com>; Tue, 5 Apr 2016 13:46:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (768-bit key) header.d=shockey.us
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Svslyycmbbvb for <stir@ietfa.amsl.com>; Tue, 5 Apr 2016 13:46:37 -0700 (PDT)
Received: from gproxy1-pub.mail.unifiedlayer.com (gproxy1-pub.mail.unifiedlayer.com [69.89.25.95]) by ietfa.amsl.com (Postfix) with SMTP id 0B15912D9E8 for <stir@ietf.org>; Tue, 5 Apr 2016 13:46:37 -0700 (PDT)
Received: (qmail 5942 invoked by uid 0); 5 Apr 2016 20:46:32 -0000
Received: from unknown (HELO cmgw4) (10.0.90.85) by gproxy1.mail.unifiedlayer.com with SMTP; 5 Apr 2016 20:46:32 -0000
Received: from box462.bluehost.com ([74.220.219.62]) by cmgw4 with id ekmS1s01L1MNPNq01kmVMo; Tue, 05 Apr 2016 14:46:32 -0600
X-Authority-Analysis: v=2.1 cv=aJ5j99Nm c=1 sm=1 tr=0 a=jTEj1adHphCQ5SwrTAOQMg==:117 a=jTEj1adHphCQ5SwrTAOQMg==:17 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10 a=IkcTkHD0fZMA:10 a=8WrITzYgnNwA:10 a=p-_XEfp0GhYA:10 a=kziv93cY1bsA:10 a=ll-iCDY8AAAA:8 a=M0OflfRGAAAA:8 a=48vgC7mUAAAA:8 a=0FD05c-RAAAA:8 a=8pif782wAAAA:8 a=hGBaWAWWAAAA:8 a=MVff1mliAAAA:8 a=nbRfDxon0Duzle702M8A:9 a=nRw0jt1MwxszphxT:21 a=FIAh7FYQHjqmeUYG:21 a=QEXdDO2ut3YA:10 a=ivbTfD_dPm4A:10 a=6-C5ikvthBEA:10
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=shockey.us; s=default; h=Content-transfer-encoding:Content-type:Mime-version:In-Reply-To :References:Message-ID:CC:To:From:Subject:Date; bh=EuqtzIXyToJXau5IKqE0KWYVpeQaC7bWC6U4oxonjw4=; b=S4EygWDxjh+yt9GJ6NFzk8nGo3 yABEeWPiQaT/RRcNya85hrk4frnu0/udNwfwu2wsseL0Vw4zTZpVH9oUi87Q38Mnzm8mEeDFIHmob AYe6uVeKPPzKBOvf4kwEZ84eV;
Received: from [100.36.35.60] (port=62953 helo=[192.168.1.9]) by box462.bluehost.com with esmtpa (Exim 4.86_2) (envelope-from <richard@shockey.us>) id 1anXrm-0002hs-O5; Tue, 05 Apr 2016 14:46:26 -0600
User-Agent: Microsoft-MacOutlook/0.0.0.160212
Date: Tue, 05 Apr 2016 16:46:19 -0400
From: Richard Shockey <richard@shockey.us>
To: John Mattsson <john.mattsson@ericsson.com>, "Peterson, Jon" <jon.peterson@neustar.biz>
Message-ID: <A3723DBB-476C-4F22-95E0-37AE0872FBBD@shockey.us>
Thread-Topic: [stir] Choice of STIR signature algorithm
References: <D32953D1.4770F%john.mattsson@ericsson.com> <1A843300-AEB7-4EC6-8256-C88F6847B82E@neustar.biz> <D329995E.477D9%john.mattsson@ericsson.com>
In-Reply-To: <D329995E.477D9%john.mattsson@ericsson.com>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
X-Identified-User: {3286:box462.bluehost.com:shockeyu:shockey.us} {sentby:smtp auth 100.36.35.60 authed with richard+shockey.us}
Archived-At: <http://mailarchive.ietf.org/arch/msg/stir/5ubMmQikKwZjYzg9XrA6GIg1iZg>
Cc: "stir@ietf.org" <stir@ietf.org>
Subject: Re: [stir] Choice of STIR signature algorithm
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Apr 2016 20:46:40 -0000

And on a nation state basis my assumption would be that something like ECC256 would be a requirement for the computational load factor if nothing else.

Its certainly how I would write a STIR RFP for a CA if this were for the carriers in the NANP. Setting one or two SHOULD supports seem sensible. I would not set the requirement to MUST. 

— 
Richard Shockey
Shockey Consulting LLC
Chairman of the Board SIP Forum
www.shockey.us
www.sipforum.org
richard<at>shockey.us
Skype-Linkedin-Facebook rshockey101
PSTN +1 703-593-2683








On 4/5/16, 4:04 PM, "stir on behalf of John Mattsson" <stir-bounces@ietf.org on behalf of john.mattsson@ericsson.com> wrote:

>I think that this has changed, and will change even more until STIR is
>deployed. According to notary.icsi.berkeley.edu/#statistics 23 % of all
>TLS connections are currently setup with ECDSA certificates. One example
>is https://en.wikipedia.org. And we don’t need unanimous support from all
>CAs; it is enough that ECDSA certificates are fairly easy to get.
>
>(Ed25519 certificates are probably hard to get unless you run your own CA).
>
>
>John
>
>On 05/04/16 15:07, "Peterson, Jon" <jon.peterson@neustar.biz> wrote:
>
>>To date we have not moved this to EC because (at least as far as I
>>understand things) many elements of web PKI, including many CAs, don't
>>support these algorithms yet. If our assessment of that is changing, then
>>let's revisit it. 
>>
>>Jon Peterson
>>Neustar, Inc. 
>>
>>Sent from my iPad
>>
>>> On Apr 5, 2016, at 11:37 AM, John Mattsson <john.mattsson@ericsson.com>
>>>wrote:
>>> 
>>> I think there are several strong reasons to change the default signature
>>> algorithm in draft-ietf-stir-rfc4474bis and draft-ietf-stir-passport.
>>>The
>>> current default algorithm is RS256 (RSASSA-PKCS1-v1_5 using SHA-256),
>>>but
>>> I cannot find any number for MTI/Recommended/Minimum/Default key length.
>>> 
>>> 1. RSA signing is extremely slow compared to modern alternatives. On a
>>> Core i5-6600, ES256 (ECDSA using P-256 and SHA-256) is 21 times faster
>>> than RSA-2048, and Ed25519 is 67 times faster
>>> (https://bench.cr.yp.to/results-sign.html) As RSA-2048 is normally
>>> classified as roughly 112-bit security (RFC3766, NIST, ENISA), a more
>>>fair
>>> comparison is with RSA-3072, and then ES256 is 52 times faster and
>>>Ed25519
>>> is 169 times faster.
>>> 
>>> 2. RSA signatures are much larger than their ECC counterparts. RSA-2048
>>> signatures are 256 bytes and RSA-3072 signatures are 384 bytes, while
>>> ES256 and Ed25519 signatures are only 64 bytes.
>>> 
>>> 3. PKCS1-v1_5 is not a very good algorithm. It has no security proofs,
>>>no
>>> advantages, is disrecommended by ENISA (European Union Agency for
>>>Network
>>> and Information Security), and has been replaced in TLS 1.3. I do not
>>> think this is the algorithm we should use in STIR.
>>> 
>>> I think the right algorithm choice for STIR is ES256 or Ed25519.
>>> Signature processing is likely the main burden for the Authentication
>>> Service, and changing from RSA to ECC significantly reduces the amount
>>>of
>>> hardware needed, and therefore the cost. A single 3.3 Ghz Skylake core
>>>can
>>> do only 400 RSA-3072 or 1,000 RSA-2048 signatures per second, but 21,000
>>> ES256 or 68,000 Ed25519 signatures per second. RSA verification is a bit
>>> faster than ECC, but the different is much smaller that for signing,
>>> RSA-3072 verifications are e.g. twice as fast as Ed25519 verifications.
>>> 
>>> Cheers,
>>> John
>>> 
>>> 
>>> ------------------------------------------------------------------
>>> JOHN MATTSSON
>>> MSc Engineering Physics, MSc Business Administration and Economics
>>> Ericsson IETF Security Coordinator
>>> Senior Researcher, Security
>>> 
>>> _______________________________________________
>>> stir mailing list
>>> stir@ietf.org
>>> https://www.ietf.org/mailman/listinfo/stir
>
>_______________________________________________
>stir mailing list
>stir@ietf.org
>https://www.ietf.org/mailman/listinfo/stir