Re: [stir] Choice of STIR signature algorithm
Richard Shockey <richard@shockey.us> Tue, 05 April 2016 22:48 UTC
Return-Path: <richard@shockey.us>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55D4912D14D for <stir@ietfa.amsl.com>; Tue, 5 Apr 2016 15:48:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (768-bit key) header.d=shockey.us
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kPrgYLGZkQF3 for <stir@ietfa.amsl.com>; Tue, 5 Apr 2016 15:48:17 -0700 (PDT)
Received: from gproxy10-pub.mail.unifiedlayer.com (gproxy10-pub.mail.unifiedlayer.com [69.89.20.226]) by ietfa.amsl.com (Postfix) with SMTP id 6600D12D0CC for <stir@ietf.org>; Tue, 5 Apr 2016 15:48:17 -0700 (PDT)
Received: (qmail 28916 invoked by uid 0); 5 Apr 2016 22:48:16 -0000
Received: from unknown (HELO cmgw2) (10.0.90.83) by gproxy10.mail.unifiedlayer.com with SMTP; 5 Apr 2016 22:48:16 -0000
Received: from box462.bluehost.com ([74.220.219.62]) by cmgw2 with id emo11s0191MNPNq01mo4TF; Tue, 05 Apr 2016 16:48:14 -0600
X-Authority-Analysis: v=2.1 cv=Nal1iQz4 c=1 sm=1 tr=0 a=jTEj1adHphCQ5SwrTAOQMg==:117 a=jTEj1adHphCQ5SwrTAOQMg==:17 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10 a=IkcTkHD0fZMA:10 a=8WrITzYgnNwA:10 a=p-_XEfp0GhYA:10 a=kziv93cY1bsA:10 a=48vgC7mUAAAA:8 a=tGX7uwomAAAA:8 a=ll-iCDY8AAAA:8 a=M0OflfRGAAAA:8 a=0FD05c-RAAAA:8 a=8pif782wAAAA:8 a=hGBaWAWWAAAA:8 a=MVff1mliAAAA:8 a=MMvpRA9cQ3ez7-iWS9kA:9 a=KYd9lLM_syZlyZZl:21 a=b3no-JDRn6y5YPAs:21 a=QEXdDO2ut3YA:10 a=ivbTfD_dPm4A:10 a=6-C5ikvthBEA:10
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=shockey.us; s=default; h=Content-transfer-encoding:Content-type:Mime-version:In-Reply-To :References:Message-ID:To:From:Subject:Date; bh=EdfeOSFCWh6SaRNMyt6BhO05GK44JQIfx6k8Urn+Jm8=; b=OjcRDcA8+PGplS9zVNKRMeokn9 V5MU1FnOsFwahn/8OGbRH9GGcGidgXwDzcXQoDfdlsAIPAbZNwnp46OaNUcJ3hPnYSTjFGeV/RSN5 Ns9YnKHMCx43FtZSS8NY52W60;
Received: from [100.36.35.60] (port=65073 helo=[192.168.1.9]) by box462.bluehost.com with esmtpa (Exim 4.86_2) (envelope-from <richard@shockey.us>) id 1anZlT-0007hk-Ia; Tue, 05 Apr 2016 16:48:03 -0600
User-Agent: Microsoft-MacOutlook/0.0.0.160212
Date: Tue, 05 Apr 2016 18:47:56 -0400
From: Richard Shockey <richard@shockey.us>
To: Russ Housley <housley@vigilsec.com>, IETF STIR Mail List <stir@ietf.org>
Message-ID: <0DD82221-E79D-4F15-B2B5-93165EC98919@shockey.us>
Thread-Topic: [stir] Choice of STIR signature algorithm
References: <D32953D1.4770F%john.mattsson@ericsson.com> <1A843300-AEB7-4EC6-8256-C88F6847B82E@neustar.biz> <D329995E.477D9%john.mattsson@ericsson.com> <A3723DBB-476C-4F22-95E0-37AE0872FBBD@shockey.us> <F4F09888-780B-4725-9A74-AD2EF661C5C0@vigilsec.com>
In-Reply-To: <F4F09888-780B-4725-9A74-AD2EF661C5C0@vigilsec.com>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
X-Identified-User: {3286:box462.bluehost.com:shockeyu:shockey.us} {sentby:smtp auth 100.36.35.60 authed with richard+shockey.us}
Archived-At: <http://mailarchive.ietf.org/arch/msg/stir/AI3G1BWn5LRCIubR4Xehpg_Ft20>
Subject: Re: [stir] Choice of STIR signature algorithm
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Apr 2016 22:48:24 -0000
Well I would have to insist that such a statement is SHOULD verify, either or both, how it deploys and under what conditions are still probably a nation-state matter certainly if they are used with E.164 plan. On 4/5/16, 5:55 PM, "stir on behalf of Russ Housley" <stir-bounces@ietf.org on behalf of housley@vigilsec.com> wrote: >There was just a discussion of this point in the STIR session at IETF 95. The sense of the room is to require verification of both RSA and ECC signatures. This allows the use of existing infrastructure, and allows rapid movement to ECC as soon as that infrastructure is readily available > >Russ > > >On Apr 5, 2016, at 4:46 PM, Richard Shockey <richard@shockey.us> wrote: > >> >> And on a nation state basis my assumption would be that something like ECC256 would be a requirement for the computational load factor if nothing else. >> >> Its certainly how I would write a STIR RFP for a CA if this were for the carriers in the NANP. Setting one or two SHOULD supports seem sensible. I would not set the requirement to MUST. >> >> — >> Richard Shockey >> Shockey Consulting LLC >> Chairman of the Board SIP Forum >> www.shockey.us >> www.sipforum.org >> richard<at>shockey.us >> Skype-Linkedin-Facebook rshockey101 >> PSTN +1 703-593-2683 >> >> >> >> >> >> >> >> >> On 4/5/16, 4:04 PM, "stir on behalf of John Mattsson" <stir-bounces@ietf.org on behalf of john.mattsson@ericsson.com> wrote: >> >>> I think that this has changed, and will change even more until STIR is >>> deployed. According to notary.icsi.berkeley.edu/#statistics 23 % of all >>> TLS connections are currently setup with ECDSA certificates. One example >>> is https://en.wikipedia.org. And we don’t need unanimous support from all >>> CAs; it is enough that ECDSA certificates are fairly easy to get. >>> >>> (Ed25519 certificates are probably hard to get unless you run your own CA). >>> >>> >>> John >>> >>> On 05/04/16 15:07, "Peterson, Jon" <jon.peterson@neustar.biz> wrote: >>> >>>> To date we have not moved this to EC because (at least as far as I >>>> understand things) many elements of web PKI, including many CAs, don't >>>> support these algorithms yet. If our assessment of that is changing, then >>>> let's revisit it. >>>> >>>> Jon Peterson >>>> Neustar, Inc. >>>> >>>> Sent from my iPad >>>> >>>>> On Apr 5, 2016, at 11:37 AM, John Mattsson <john.mattsson@ericsson.com> >>>>> wrote: >>>>> >>>>> I think there are several strong reasons to change the default signature >>>>> algorithm in draft-ietf-stir-rfc4474bis and draft-ietf-stir-passport. >>>>> The >>>>> current default algorithm is RS256 (RSASSA-PKCS1-v1_5 using SHA-256), >>>>> but >>>>> I cannot find any number for MTI/Recommended/Minimum/Default key length. >>>>> >>>>> 1. RSA signing is extremely slow compared to modern alternatives. On a >>>>> Core i5-6600, ES256 (ECDSA using P-256 and SHA-256) is 21 times faster >>>>> than RSA-2048, and Ed25519 is 67 times faster >>>>> (https://bench.cr.yp.to/results-sign.html) As RSA-2048 is normally >>>>> classified as roughly 112-bit security (RFC3766, NIST, ENISA), a more >>>>> fair >>>>> comparison is with RSA-3072, and then ES256 is 52 times faster and >>>>> Ed25519 >>>>> is 169 times faster. >>>>> >>>>> 2. RSA signatures are much larger than their ECC counterparts. RSA-2048 >>>>> signatures are 256 bytes and RSA-3072 signatures are 384 bytes, while >>>>> ES256 and Ed25519 signatures are only 64 bytes. >>>>> >>>>> 3. PKCS1-v1_5 is not a very good algorithm. It has no security proofs, >>>>> no >>>>> advantages, is disrecommended by ENISA (European Union Agency for >>>>> Network >>>>> and Information Security), and has been replaced in TLS 1.3. I do not >>>>> think this is the algorithm we should use in STIR. >>>>> >>>>> I think the right algorithm choice for STIR is ES256 or Ed25519. >>>>> Signature processing is likely the main burden for the Authentication >>>>> Service, and changing from RSA to ECC significantly reduces the amount >>>>> of >>>>> hardware needed, and therefore the cost. A single 3.3 Ghz Skylake core >>>>> can >>>>> do only 400 RSA-3072 or 1,000 RSA-2048 signatures per second, but 21,000 >>>>> ES256 or 68,000 Ed25519 signatures per second. RSA verification is a bit >>>>> faster than ECC, but the different is much smaller that for signing, >>>>> RSA-3072 verifications are e.g. twice as fast as Ed25519 verifications. >>>>> >>>>> Cheers, >>>>> John >>>>> >>>>> >>>>> ------------------------------------------------------------------ >>>>> JOHN MATTSSON >>>>> MSc Engineering Physics, MSc Business Administration and Economics >>>>> Ericsson IETF Security Coordinator >>>>> Senior Researcher, Security >>>>> >>>>> _______________________________________________ >>>>> stir mailing list >>>>> stir@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/stir >>> >>> _______________________________________________ >>> stir mailing list >>> stir@ietf.org >>> https://www.ietf.org/mailman/listinfo/stir >> >> _______________________________________________ >> stir mailing list >> stir@ietf.org >> https://www.ietf.org/mailman/listinfo/stir > >_______________________________________________ >stir mailing list >stir@ietf.org >https://www.ietf.org/mailman/listinfo/stir
- Re: [stir] Choice of STIR signature algorithm Sean Turner
- [stir] Choice of STIR signature algorithm John Mattsson
- Re: [stir] Choice of STIR signature algorithm Chris Wendt
- Re: [stir] Choice of STIR signature algorithm DOLLY, MARTIN C
- Re: [stir] Choice of STIR signature algorithm John Mattsson
- Re: [stir] Choice of STIR signature algorithm Peterson, Jon
- Re: [stir] Choice of STIR signature algorithm John Mattsson
- Re: [stir] Choice of STIR signature algorithm Richard Shockey
- Re: [stir] Choice of STIR signature algorithm Russ Housley
- Re: [stir] Choice of STIR signature algorithm Richard Shockey
- Re: [stir] Choice of STIR signature algorithm Robert Sparks
- Re: [stir] Choice of STIR signature algorithm Richard Shockey
- Re: [stir] Choice of STIR signature algorithm Eric Burger
- Re: [stir] Choice of STIR signature algorithm Eric Burger
- Re: [stir] Choice of STIR signature algorithm Chris Wendt
- Re: [stir] Choice of STIR signature algorithm Richard Shockey
- Re: [stir] Choice of STIR signature algorithm John Mattsson
- Re: [stir] Choice of STIR signature algorithm Chris Wendt
- Re: [stir] Choice of STIR signature algorithm Richard Shockey
- Re: [stir] Choice of STIR signature algorithm Russ Housley
- Re: [stir] Choice of STIR signature algorithm Gorman, Pierce A [CTO]
- Re: [stir] Choice of STIR signature algorithm Richard Shockey
- Re: [stir] Choice of STIR signature algorithm Chris Wendt
- Re: [stir] Choice of STIR signature algorithm Eric Burger
- Re: [stir] Choice of STIR signature algorithm Russ Housley
- Re: [stir] Choice of STIR signature algorithm Eric Burger
- Re: [stir] Choice of STIR signature algorithm Chris Wendt
- Re: [stir] Choice of STIR signature algorithm Peterson, Jon
- Re: [stir] Choice of STIR signature algorithm Eric Rescorla
- Re: [stir] Choice of STIR signature algorithm Russ Housley
- Re: [stir] Choice of STIR signature algorithm Eric Rescorla
- Re: [stir] Choice of STIR signature algorithm DOLLY, MARTIN C
- Re: [stir] Choice of STIR signature algorithm Eric Rescorla
- Re: [stir] Choice of STIR signature algorithm Chris Wendt
- Re: [stir] Choice of STIR signature algorithm Chris Wendt
- Re: [stir] Choice of STIR signature algorithm Eric Burger
- Re: [stir] Choice of STIR signature algorithm Russ Housley