IETF Logo Mail Archive

[stir] Choice of STIR signature algorithm

John Mattsson <john.mattsson@ericsson.com> Tue, 05 April 2016 14:36 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC3C612D507 for <stir@ietfa.amsl.com>; Tue, 5 Apr 2016 07:36:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PJlniqpz_XDt for <stir@ietfa.amsl.com>; Tue, 5 Apr 2016 07:36:53 -0700 (PDT)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8259912D145 for <stir@ietf.org>; Tue, 5 Apr 2016 07:36:52 -0700 (PDT)
X-AuditID: c1b4fb2d-f79c06d000005960-d6-5703cd82c46d
Received: from ESESSHC004.ericsson.se (Unknown_Domain [153.88.183.30]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id 4B.63.22880.28DC3075; Tue, 5 Apr 2016 16:36:50 +0200 (CEST)
Received: from ESESSMB307.ericsson.se ([169.254.7.106]) by ESESSHC004.ericsson.se ([153.88.183.30]) with mapi id 14.03.0248.002; Tue, 5 Apr 2016 16:36:50 +0200
From: John Mattsson <john.mattsson@ericsson.com>
To: "stir@ietf.org" <stir@ietf.org>
Thread-Topic: Choice of STIR signature algorithm
Thread-Index: AQHRj0iWb832AGdGDEePNXJedu5tug==
Date: Tue, 05 Apr 2016 14:36:49 +0000
Message-ID: <D32953D1.4770F%john.mattsson@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.1.160122
x-originating-ip: [153.88.183.149]
Content-Type: text/plain; charset="utf-8"
Content-ID: <D35CEA5F6CE04E4C8AB05B036C057A22@ericsson.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrNLMWRmVeSWpSXmKPExsUyM2K7nG7TWeZwg/fbLS2Wr93G5MDosWTJ T6YAxigum5TUnMyy1CJ9uwSujDu/F7IUXBGt6Hp1lrWBsUe0i5GTQ0LARGLW6+1sELaYxIV7 64FsLg4hgSOMEpMXvGKGcBYzSvxb1cAOUsUmYCAxd08DWIeIgLLElnV3wOLCAtoSM5+eY4WI G0hMOXgDqIYDyNaTeLHOBsRkEVCRmPajAKSCV8Bc4tPmBWCdjEB7v59awwRiMwuIS9x6Mp8J 4h4BiSV7zjND2KISLx//A5suCjTxdsdadoi4ksTaw9tZQMYzC2hKrN+lDzHGWmLlnQ8sELai xJTuh+wQawUlTs58wjKBUXQWkm2zELpnIemehaR7FpLuBYysqxhFi1OLi3PTjYz1Uosyk4uL 8/P08lJLNjECo+Tglt+6OxhXv3Y8xCjAwajEw6sgwxwuxJpYVlyZe4hRgoNZSYQ3+wRQiDcl sbIqtSg/vqg0J7X4EKM0B4uSOG9O5L8wIYH0xJLU7NTUgtQimCwTB6dUA2PsCpkZK8olpfvY 56VwhL2cmR+7jGcZL1eL4MtXtQ+E9V/qbf5wtH1JZcGar+07v4lEa+cbb/rFZScYwOl2UHTL tt650/7JdSYqhPfI7P/4NHWC1NqkDZFPgr7tbZX5u7LNfWGHWNuHrba3dq/+b2T/0yv5HYPy jE03phs+u73y0UfDKdqrw3YpsRRnJBpqMRcVJwIARsKF1I4CAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/stir/FyUPolM9kqMipVOi7r96BzYqWSA>
Subject: [stir] Choice of STIR signature algorithm
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Apr 2016 14:36:56 -0000

I think there are several strong reasons to change the default signature
algorithm in draft-ietf-stir-rfc4474bis and draft-ietf-stir-passport. The
current default algorithm is RS256 (RSASSA-PKCS1-v1_5 using SHA-256), but
I cannot find any number for MTI/Recommended/Minimum/Default key length.

1. RSA signing is extremely slow compared to modern alternatives. On a
Core i5-6600, ES256 (ECDSA using P-256 and SHA-256) is 21 times faster
than RSA-2048, and Ed25519 is 67 times faster
(https://bench.cr.yp.to/results-sign.html) As RSA-2048 is normally
classified as roughly 112-bit security (RFC3766, NIST, ENISA), a more fair
comparison is with RSA-3072, and then ES256 is 52 times faster and Ed25519
is 169 times faster.

2. RSA signatures are much larger than their ECC counterparts. RSA-2048
signatures are 256 bytes and RSA-3072 signatures are 384 bytes, while
ES256 and Ed25519 signatures are only 64 bytes.

3. PKCS1-v1_5 is not a very good algorithm. It has no security proofs, no
advantages, is disrecommended by ENISA (European Union Agency for Network
and Information Security), and has been replaced in TLS 1.3. I do not
think this is the algorithm we should use in STIR.

I think the right algorithm choice for STIR is ES256 or Ed25519.
Signature processing is likely the main burden for the Authentication
Service, and changing from RSA to ECC significantly reduces the amount of
hardware needed, and therefore the cost. A single 3.3 Ghz Skylake core can
do only 400 RSA-3072 or 1,000 RSA-2048 signatures per second, but 21,000
ES256 or 68,000 Ed25519 signatures per second. RSA verification is a bit
faster than ECC, but the different is much smaller that for signing,
RSA-3072 verifications are e.g. twice as fast as Ed25519 verifications.

Cheers,
John


------------------------------------------------------------------
JOHN MATTSSON
MSc Engineering Physics, MSc Business Administration and Economics
Ericsson IETF Security Coordinator
Senior Researcher, Security

v2.40.4 | Report a Bug | By Email | System Status