Re: [TLS] Thoughts on TLS 1.3 cryptography performance
Eric Rescorla <ekr@rtfm.com> Thu, 13 March 2014 18:03 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 425EB1A0A4B for <tls@ietfa.amsl.com>; Thu, 13 Mar 2014 11:03:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3xkUU2SsiHpn for <tls@ietfa.amsl.com>; Thu, 13 Mar 2014 11:03:00 -0700 (PDT)
Received: from mail-we0-f172.google.com (mail-we0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id 0CF521A0A53 for <tls@ietf.org>; Thu, 13 Mar 2014 11:02:59 -0700 (PDT)
Received: by mail-we0-f172.google.com with SMTP id t61so1188791wes.31 for <tls@ietf.org>; Thu, 13 Mar 2014 11:02:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=crQzIy3gaaRiYyTbHGZkrlIWIuR3g7FwcRyqojp4CmE=; b=hXNFHz6IRuueaApiFgEAb3hCtjVRmjhnp4pPd4ewlECjqdcvJ3SM+4vC58IMyQH4Is uWVgRl+1nD1P/0HLdDIUgrkJuGUKNNdZDHYn8aBMr+z9DRZcybkAr3smI2I0stZM7fH7 vuT9wOtXiu7M73uiWGpTw/kU6HHYDcfyo2Dk8tZUQH9PFtRpSDKdf/bmF5ZCbPj7e/u8 pqWYCq3ppBkqbBxyMFiKvesnBv48xABgVxGT/3VYDq2XLU0wOQxkVFGHmdoDJdYc9ns0 tX4bmZKRO+DywPlOjTcC3NlzWgXiqjbuatK1wMc8CurbpZXs2BZMViSkePy6ks8gPkBW RllQ==
X-Gm-Message-State: ALoCoQltOyWwr7zM+s7kg7SHkmZvCdB2NiYPywcmaxySy1hn9s0NmED8eppgsZQt69zKFjNn6uk9
X-Received: by 10.180.164.174 with SMTP id yr14mr2750228wib.18.1394733773075; Thu, 13 Mar 2014 11:02:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.218.198 with HTTP; Thu, 13 Mar 2014 11:02:12 -0700 (PDT)
X-Originating-IP: [63.245.220.224]
In-Reply-To: <CAGZ8ZG2kGxvbVCNDzQZ4aq_v-4To1xp76zME-LLiiw-h2qqJOQ@mail.gmail.com>
References: <CACsn0ckbrrt0rBsHM+5A_jNK6UvkaiO9mHx6=Jr+jjqy+bZ6MQ@mail.gmail.com> <CAK3OfOj_+RzqPj0LJa=EyeJ5UqSy42z-_kF2tqYYZb=efFEwrQ@mail.gmail.com> <CACsn0ckVq5wkjsZgV6XrsgA6tU6_6YLKOsJQMivFY59esX1Ywg@mail.gmail.com> <CAK3OfOhzD+D2Tf=1JwzCfPf_m5uWhBj3sVd=UQw8b4fthGt-Bw@mail.gmail.com> <CAGZ8ZG3JXiJiCRUUBGGuaVTabn11yZ2u+Nv9cWHO8yagoxr+yw@mail.gmail.com> <CAK3OfOiGCidqTPDcnrMY+prbxYzS76v4JiDo51=z5n3296x8Dw@mail.gmail.com> <CABcZeBMwUHjdSdXyYPzb3NBxEF4vT87r6qOWWM=g18LuBUXNLQ@mail.gmail.com> <CAGZ8ZG2kGxvbVCNDzQZ4aq_v-4To1xp76zME-LLiiw-h2qqJOQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 13 Mar 2014 11:02:12 -0700
Message-ID: <CABcZeBOVH03_NDbhFz5dVy+a+wq1vJtfJaMURjh57Yu0GTekpg@mail.gmail.com>
To: Trevor Perrin <trevp@trevp.net>
Content-Type: multipart/alternative; boundary="00248c0d791419d98f04f480c3eb"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/-ElzGW8wbiDbnh2avNSjAPMKXmY
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Thoughts on TLS 1.3 cryptography performance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Mar 2014 18:03:02 -0000
On Thu, Mar 13, 2014 at 10:17 AM, Trevor Perrin <trevp@trevp.net> wrote: > > On Thu, Mar 13, 2014 at 9:48 AM, Eric Rescorla <ekr@rtfm.com> wrote: > >> On Thu, Mar 13, 2014 at 9:34 AM, Nico Williams <nico@cryptonector.com>wrote: >> >>> But I am concerned about the need for PFS on >>> resumption in order to limit the extent of resumption ticket cache >>> compromise; if you're going to lose the 0-RTT resumption for it, might >>> as well pick the best "fast reauthentication" protocol possible, and >>> that might be Watson's. >> >> >> WRT this specific point, I wanted to observe that computational cost >> (within reason) is less important than round trip delay >> > > True, but a 0-RTT session ticket resumption requires less computation than > a 0-RTT handshake based on a semi-static ECDH key (like QUIC, or your > draft) without any RTT tradeoff. > > (My understanding of both QUIC and your draft is that in the 0-RTT case > they perform an "overlaid" DH while exchanging application data in the > initial RT, so subsequent data gets PFS while the initial RT does not. > This could be done with session tickets as well.) > Thanks for making this point. I think it gets to precisely the questions we need to be asking, namely: 1. Do we want to provide a mechanism for a client and server to form a new TLS connection without doing any public key operations? 2. Do we want to provide a mechanism for a client and server to do a 0-RTT handshake which minimizes the number of public key operations, potentially at the cost of linkability. (It's possible to do a 0-RTT handshake without linkability if the server uses the same DH key for a lot of clients, but not if you use the same session ticket repeatedly, though maybe you could swap the ticket each time.) -Ekr > Also: if the semi-static handshake is going to require an expensive client > re-authentication (ChannelID, PAKE, a slow smartcard, etc.), then the > savings for resumption are even greater. > > > Trevor > >
- [TLS] Thoughts on TLS 1.3 cryptography performance Watson Ladd
- [TLS] Version negotiation (was: Thoughts on TLS 1… Michael D'Errico
- Re: [TLS] Version negotiation (was: Thoughts on T… Eric Rescorla
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Santosh Chokhani
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Watson Ladd
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Nico Williams
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Watson Ladd
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Nico Williams
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Trevor Perrin
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Nico Williams
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Eric Rescorla
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Nico Williams
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Trevor Perrin
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Watson Ladd
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Trevor Perrin
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Eric Rescorla