Re: [stir] Choice of STIR signature algorithm
Richard Shockey <richard@shockey.us> Tue, 05 April 2016 20:46 UTC
Return-Path: <richard@shockey.us>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F08E812D9EC for <stir@ietfa.amsl.com>; Tue, 5 Apr 2016 13:46:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (768-bit key) header.d=shockey.us
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Svslyycmbbvb for <stir@ietfa.amsl.com>; Tue, 5 Apr 2016 13:46:37 -0700 (PDT)
Received: from gproxy1-pub.mail.unifiedlayer.com (gproxy1-pub.mail.unifiedlayer.com [69.89.25.95]) by ietfa.amsl.com (Postfix) with SMTP id 0B15912D9E8 for <stir@ietf.org>; Tue, 5 Apr 2016 13:46:37 -0700 (PDT)
Received: (qmail 5942 invoked by uid 0); 5 Apr 2016 20:46:32 -0000
Received: from unknown (HELO cmgw4) (10.0.90.85) by gproxy1.mail.unifiedlayer.com with SMTP; 5 Apr 2016 20:46:32 -0000
Received: from box462.bluehost.com ([74.220.219.62]) by cmgw4 with id ekmS1s01L1MNPNq01kmVMo; Tue, 05 Apr 2016 14:46:32 -0600
X-Authority-Analysis: v=2.1 cv=aJ5j99Nm c=1 sm=1 tr=0 a=jTEj1adHphCQ5SwrTAOQMg==:117 a=jTEj1adHphCQ5SwrTAOQMg==:17 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10 a=IkcTkHD0fZMA:10 a=8WrITzYgnNwA:10 a=p-_XEfp0GhYA:10 a=kziv93cY1bsA:10 a=ll-iCDY8AAAA:8 a=M0OflfRGAAAA:8 a=48vgC7mUAAAA:8 a=0FD05c-RAAAA:8 a=8pif782wAAAA:8 a=hGBaWAWWAAAA:8 a=MVff1mliAAAA:8 a=nbRfDxon0Duzle702M8A:9 a=nRw0jt1MwxszphxT:21 a=FIAh7FYQHjqmeUYG:21 a=QEXdDO2ut3YA:10 a=ivbTfD_dPm4A:10 a=6-C5ikvthBEA:10
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=shockey.us; s=default; h=Content-transfer-encoding:Content-type:Mime-version:In-Reply-To :References:Message-ID:CC:To:From:Subject:Date; bh=EuqtzIXyToJXau5IKqE0KWYVpeQaC7bWC6U4oxonjw4=; b=S4EygWDxjh+yt9GJ6NFzk8nGo3 yABEeWPiQaT/RRcNya85hrk4frnu0/udNwfwu2wsseL0Vw4zTZpVH9oUi87Q38Mnzm8mEeDFIHmob AYe6uVeKPPzKBOvf4kwEZ84eV;
Received: from [100.36.35.60] (port=62953 helo=[192.168.1.9]) by box462.bluehost.com with esmtpa (Exim 4.86_2) (envelope-from <richard@shockey.us>) id 1anXrm-0002hs-O5; Tue, 05 Apr 2016 14:46:26 -0600
User-Agent: Microsoft-MacOutlook/0.0.0.160212
Date: Tue, 05 Apr 2016 16:46:19 -0400
From: Richard Shockey <richard@shockey.us>
To: John Mattsson <john.mattsson@ericsson.com>, "Peterson, Jon" <jon.peterson@neustar.biz>
Message-ID: <A3723DBB-476C-4F22-95E0-37AE0872FBBD@shockey.us>
Thread-Topic: [stir] Choice of STIR signature algorithm
References: <D32953D1.4770F%john.mattsson@ericsson.com> <1A843300-AEB7-4EC6-8256-C88F6847B82E@neustar.biz> <D329995E.477D9%john.mattsson@ericsson.com>
In-Reply-To: <D329995E.477D9%john.mattsson@ericsson.com>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
X-Identified-User: {3286:box462.bluehost.com:shockeyu:shockey.us} {sentby:smtp auth 100.36.35.60 authed with richard+shockey.us}
Archived-At: <http://mailarchive.ietf.org/arch/msg/stir/5ubMmQikKwZjYzg9XrA6GIg1iZg>
Cc: "stir@ietf.org" <stir@ietf.org>
Subject: Re: [stir] Choice of STIR signature algorithm
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Apr 2016 20:46:40 -0000
And on a nation state basis my assumption would be that something like ECC256 would be a requirement for the computational load factor if nothing else. Its certainly how I would write a STIR RFP for a CA if this were for the carriers in the NANP. Setting one or two SHOULD supports seem sensible. I would not set the requirement to MUST. — Richard Shockey Shockey Consulting LLC Chairman of the Board SIP Forum www.shockey.us www.sipforum.org richard<at>shockey.us Skype-Linkedin-Facebook rshockey101 PSTN +1 703-593-2683 On 4/5/16, 4:04 PM, "stir on behalf of John Mattsson" <stir-bounces@ietf.org on behalf of john.mattsson@ericsson.com> wrote: >I think that this has changed, and will change even more until STIR is >deployed. According to notary.icsi.berkeley.edu/#statistics 23 % of all >TLS connections are currently setup with ECDSA certificates. One example >is https://en.wikipedia.org. And we don’t need unanimous support from all >CAs; it is enough that ECDSA certificates are fairly easy to get. > >(Ed25519 certificates are probably hard to get unless you run your own CA). > > >John > >On 05/04/16 15:07, "Peterson, Jon" <jon.peterson@neustar.biz> wrote: > >>To date we have not moved this to EC because (at least as far as I >>understand things) many elements of web PKI, including many CAs, don't >>support these algorithms yet. If our assessment of that is changing, then >>let's revisit it. >> >>Jon Peterson >>Neustar, Inc. >> >>Sent from my iPad >> >>> On Apr 5, 2016, at 11:37 AM, John Mattsson <john.mattsson@ericsson.com> >>>wrote: >>> >>> I think there are several strong reasons to change the default signature >>> algorithm in draft-ietf-stir-rfc4474bis and draft-ietf-stir-passport. >>>The >>> current default algorithm is RS256 (RSASSA-PKCS1-v1_5 using SHA-256), >>>but >>> I cannot find any number for MTI/Recommended/Minimum/Default key length. >>> >>> 1. RSA signing is extremely slow compared to modern alternatives. On a >>> Core i5-6600, ES256 (ECDSA using P-256 and SHA-256) is 21 times faster >>> than RSA-2048, and Ed25519 is 67 times faster >>> (https://bench.cr.yp.to/results-sign.html) As RSA-2048 is normally >>> classified as roughly 112-bit security (RFC3766, NIST, ENISA), a more >>>fair >>> comparison is with RSA-3072, and then ES256 is 52 times faster and >>>Ed25519 >>> is 169 times faster. >>> >>> 2. RSA signatures are much larger than their ECC counterparts. RSA-2048 >>> signatures are 256 bytes and RSA-3072 signatures are 384 bytes, while >>> ES256 and Ed25519 signatures are only 64 bytes. >>> >>> 3. PKCS1-v1_5 is not a very good algorithm. It has no security proofs, >>>no >>> advantages, is disrecommended by ENISA (European Union Agency for >>>Network >>> and Information Security), and has been replaced in TLS 1.3. I do not >>> think this is the algorithm we should use in STIR. >>> >>> I think the right algorithm choice for STIR is ES256 or Ed25519. >>> Signature processing is likely the main burden for the Authentication >>> Service, and changing from RSA to ECC significantly reduces the amount >>>of >>> hardware needed, and therefore the cost. A single 3.3 Ghz Skylake core >>>can >>> do only 400 RSA-3072 or 1,000 RSA-2048 signatures per second, but 21,000 >>> ES256 or 68,000 Ed25519 signatures per second. RSA verification is a bit >>> faster than ECC, but the different is much smaller that for signing, >>> RSA-3072 verifications are e.g. twice as fast as Ed25519 verifications. >>> >>> Cheers, >>> John >>> >>> >>> ------------------------------------------------------------------ >>> JOHN MATTSSON >>> MSc Engineering Physics, MSc Business Administration and Economics >>> Ericsson IETF Security Coordinator >>> Senior Researcher, Security >>> >>> _______________________________________________ >>> stir mailing list >>> stir@ietf.org >>> https://www.ietf.org/mailman/listinfo/stir > >_______________________________________________ >stir mailing list >stir@ietf.org >https://www.ietf.org/mailman/listinfo/stir
- Re: [stir] Choice of STIR signature algorithm Sean Turner
- [stir] Choice of STIR signature algorithm John Mattsson
- Re: [stir] Choice of STIR signature algorithm Chris Wendt
- Re: [stir] Choice of STIR signature algorithm DOLLY, MARTIN C
- Re: [stir] Choice of STIR signature algorithm John Mattsson
- Re: [stir] Choice of STIR signature algorithm Peterson, Jon
- Re: [stir] Choice of STIR signature algorithm John Mattsson
- Re: [stir] Choice of STIR signature algorithm Richard Shockey
- Re: [stir] Choice of STIR signature algorithm Russ Housley
- Re: [stir] Choice of STIR signature algorithm Richard Shockey
- Re: [stir] Choice of STIR signature algorithm Robert Sparks
- Re: [stir] Choice of STIR signature algorithm Richard Shockey
- Re: [stir] Choice of STIR signature algorithm Eric Burger
- Re: [stir] Choice of STIR signature algorithm Eric Burger
- Re: [stir] Choice of STIR signature algorithm Chris Wendt
- Re: [stir] Choice of STIR signature algorithm Richard Shockey
- Re: [stir] Choice of STIR signature algorithm John Mattsson
- Re: [stir] Choice of STIR signature algorithm Chris Wendt
- Re: [stir] Choice of STIR signature algorithm Richard Shockey
- Re: [stir] Choice of STIR signature algorithm Russ Housley
- Re: [stir] Choice of STIR signature algorithm Gorman, Pierce A [CTO]
- Re: [stir] Choice of STIR signature algorithm Richard Shockey
- Re: [stir] Choice of STIR signature algorithm Chris Wendt
- Re: [stir] Choice of STIR signature algorithm Eric Burger
- Re: [stir] Choice of STIR signature algorithm Russ Housley
- Re: [stir] Choice of STIR signature algorithm Eric Burger
- Re: [stir] Choice of STIR signature algorithm Chris Wendt
- Re: [stir] Choice of STIR signature algorithm Peterson, Jon
- Re: [stir] Choice of STIR signature algorithm Eric Rescorla
- Re: [stir] Choice of STIR signature algorithm Russ Housley
- Re: [stir] Choice of STIR signature algorithm Eric Rescorla
- Re: [stir] Choice of STIR signature algorithm DOLLY, MARTIN C
- Re: [stir] Choice of STIR signature algorithm Eric Rescorla
- Re: [stir] Choice of STIR signature algorithm Chris Wendt
- Re: [stir] Choice of STIR signature algorithm Chris Wendt
- Re: [stir] Choice of STIR signature algorithm Eric Burger
- Re: [stir] Choice of STIR signature algorithm Russ Housley