Re: [TLS] Channel ID and server load: comment on draft-balfanz-tls-channelid-00

Adam Langley <agl@google.com> Wed, 23 October 2013 15:21 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BA4A11E844A for <tls@ietfa.amsl.com>; Wed, 23 Oct 2013 08:21:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XdtWZWNqH+IC for <tls@ietfa.amsl.com>; Wed, 23 Oct 2013 08:21:27 -0700 (PDT)
Received: from mail-ve0-x22b.google.com (mail-ve0-x22b.google.com [IPv6:2607:f8b0:400c:c01::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 9054911E8445 for <tls@ietf.org>; Wed, 23 Oct 2013 08:21:23 -0700 (PDT)
Received: by mail-ve0-f171.google.com with SMTP id pa12so120655veb.16 for <tls@ietf.org>; Wed, 23 Oct 2013 08:21:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=+GWrw9jox1Si/eY3Of+UKbvm/QpuficoMh3ZdZ2ea7g=; b=KLG5d1Is8JYKe/gRNRUgz2s8JisHHZo+Q/zWspybsbpYDe7aoOZEohiKSaCAF+5yVQ zzdur5yW8ntCQxjnLLzc82DMxRuZtazlfySCTPuYKcgezZonnEzypxZdfgUbXqh6eCEj yqzQeXVLetczOxGjjze4b5+3wtCg4rzGhOA4egn7xDpFcs33KNEk/PG5FwT2yHkymxBW W4ksZMSGYEZ2llS7NldgaaSMrPVOWVcKruxHYEl2K1WW1IEfH++5/SFsWzWLATBgYYAL ZbtAjJ7VDw0me/2y6ORxdGX8L8S9UkfCpIZLpcUyNf5RRF+HxAgDZ28oDs5b5P+dvU48 7nhA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=+GWrw9jox1Si/eY3Of+UKbvm/QpuficoMh3ZdZ2ea7g=; b=eQHUJ7asbnEjgdzBwrndgWpJqMsMBnPzAdDOoyDq0qhMCHV9UFh3Pm8Px1MVLwCphe lCHc3uTeXtVKlBLcVnMGP+DEwD01csFVX4UxYUOw1Q9hXflIQh4Kvoscd6XtRHIGb6yB UkMrd07KAXzuehSEtjXuo+37b9MIK6B1QFztfxmTNm8KXe3EFzumYzYSzOu4Z0WboQZs MnGCYXQY67twtoR7lVam5MqM7wHdey//1p+gksLFrkP1jHGRMmG1z65+QVyDp5CmOMlN WargMTBevsPG3kssA6sdjA1j4N2O/00fyU8CCS5DjNuOnIsa64QJiMJoxJvd6ECQKce/ VUYg==
X-Gm-Message-State: ALoCoQkHuvOvXh9NtmwBr85VqoyUYiUQhpF+IGU5mR284YbirCqkJuDiTrtlZ1HiOIgBaasg75Xg3Q/SuLHp5aLZHzxZD2JoJ46Paykitz9dfe565C1MqsVBHINs7/s/Z5jcjKdyj+QYXjRB2w/rEYEsB2PuUicFgh13FvmG29pjF1rtVs+bIxTnYIGFYCg49VxBR4E28STK
X-Received: by 10.58.54.69 with SMTP id h5mr1521747vep.25.1382541683172; Wed, 23 Oct 2013 08:21:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.100.40 with HTTP; Wed, 23 Oct 2013 08:21:03 -0700 (PDT)
In-Reply-To: <CACsn0c=4HHw3PfCsRxnuHf+Rca1GrOSi60OjJQ4qoJKGcP60Pw@mail.gmail.com>
References: <CACsn0cnzTuyezaCj0AmxtV_-6a04TZeAJtbBovAUQQfy16ua7w@mail.gmail.com> <CAL9PXLxdAGK2E5577xHJGexQpEWwrbC_Y+otEQmWfv2pV211HQ@mail.gmail.com> <CACsn0c=4HHw3PfCsRxnuHf+Rca1GrOSi60OjJQ4qoJKGcP60Pw@mail.gmail.com>
From: Adam Langley <agl@google.com>
Date: Wed, 23 Oct 2013 11:21:03 -0400
Message-ID: <CAL9PXLxq91G+Es0J+tvPFO9BAyedA6Z0CmMqPqq4UC6hAbtSbw@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset=UTF-8
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Channel ID and server load: comment on draft-balfanz-tls-channelid-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Oct 2013 15:21:27 -0000

On Tue, Oct 22, 2013 at 1:52 PM, Watson Ladd <watsonbladd@gmail.com>; wrote:
> Completely spurious: hardware (or a separate process) does not know
> whether it is being asked to provide
> the ChannelID for a request that is genuine or one that the attacker
> provided after subverting the browser process.

Certainly that's true. However, it limits the attacker to an online
attack: closing the laptop etc stops them. That's a lot better than
the current situation where cookie theft is a significant problem.

Additionally, ChannelID can be extended to an "ignition key" model
where connections need to reprove the presence of the ChannelID every
$n minutes. (That might get the verification load to the point where
batching is useful :)

> There also is a replay attack: a signature of a static string provides
> no liveness

ChannelID signs the handshake which includes an nonce from the server.

> Because of a stupid missing bit, you don't know which of two points
> lead to the r value. If you did know this bit, you could
> make the verification equation an identity in the curve and apply the
> Bos-Coster trick Ed25519 does. I've not come up with
> a way around this issue. Guess and check isn't worth it: it ends up
> costing more than verifying one at a time.

I have not looked into batching ECDSA verifies but [1] seems quite
clear that it's dealing with unmodified ECDSA signatures (paywalled
I'm afraid, but the first two pages are free). They report a speedup
of 2x for batches with multiple signers, which is roughly equal to the
reported speedup for Ed25519 (273K -> 134K cycles).

[1] http://rd.springer.com/chapter/10.1007%2F978-3-642-31410-0_1


> Fair enough: I assume P256 is performant enough for the applications
> being imagined, but given
> the constant kvetching about performance, I'm not sure everyone shares
> that. (Then again, they
> kvetch while using interpreted languages...)

I am not terribly happy with the performance implications of ChannelID
either, but we're still exploring our options.


Cheers

AGL