Re: [TLS] Channel ID and server load: comment on draft-balfanz-tls-channelid-00

Adam Langley <> Wed, 23 October 2013 15:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8BA4A11E844A for <>; Wed, 23 Oct 2013 08:21:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XdtWZWNqH+IC for <>; Wed, 23 Oct 2013 08:21:27 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400c:c01::22b]) by (Postfix) with ESMTP id 9054911E8445 for <>; Wed, 23 Oct 2013 08:21:23 -0700 (PDT)
Received: by with SMTP id pa12so120655veb.16 for <>; Wed, 23 Oct 2013 08:21:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=+GWrw9jox1Si/eY3Of+UKbvm/QpuficoMh3ZdZ2ea7g=; b=KLG5d1Is8JYKe/gRNRUgz2s8JisHHZo+Q/zWspybsbpYDe7aoOZEohiKSaCAF+5yVQ zzdur5yW8ntCQxjnLLzc82DMxRuZtazlfySCTPuYKcgezZonnEzypxZdfgUbXqh6eCEj yqzQeXVLetczOxGjjze4b5+3wtCg4rzGhOA4egn7xDpFcs33KNEk/PG5FwT2yHkymxBW W4ksZMSGYEZ2llS7NldgaaSMrPVOWVcKruxHYEl2K1WW1IEfH++5/SFsWzWLATBgYYAL ZbtAjJ7VDw0me/2y6ORxdGX8L8S9UkfCpIZLpcUyNf5RRF+HxAgDZ28oDs5b5P+dvU48 7nhA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=+GWrw9jox1Si/eY3Of+UKbvm/QpuficoMh3ZdZ2ea7g=; b=eQHUJ7asbnEjgdzBwrndgWpJqMsMBnPzAdDOoyDq0qhMCHV9UFh3Pm8Px1MVLwCphe lCHc3uTeXtVKlBLcVnMGP+DEwD01csFVX4UxYUOw1Q9hXflIQh4Kvoscd6XtRHIGb6yB UkMrd07KAXzuehSEtjXuo+37b9MIK6B1QFztfxmTNm8KXe3EFzumYzYSzOu4Z0WboQZs MnGCYXQY67twtoR7lVam5MqM7wHdey//1p+gksLFrkP1jHGRMmG1z65+QVyDp5CmOMlN WargMTBevsPG3kssA6sdjA1j4N2O/00fyU8CCS5DjNuOnIsa64QJiMJoxJvd6ECQKce/ VUYg==
X-Gm-Message-State: ALoCoQkHuvOvXh9NtmwBr85VqoyUYiUQhpF+IGU5mR284YbirCqkJuDiTrtlZ1HiOIgBaasg75Xg3Q/SuLHp5aLZHzxZD2JoJ46Paykitz9dfe565C1MqsVBHINs7/s/Z5jcjKdyj+QYXjRB2w/rEYEsB2PuUicFgh13FvmG29pjF1rtVs+bIxTnYIGFYCg49VxBR4E28STK
X-Received: by with SMTP id h5mr1521747vep.25.1382541683172; Wed, 23 Oct 2013 08:21:23 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Wed, 23 Oct 2013 08:21:03 -0700 (PDT)
In-Reply-To: <>
References: <> <> <>
From: Adam Langley <>
Date: Wed, 23 Oct 2013 11:21:03 -0400
Message-ID: <>
To: Watson Ladd <>
Content-Type: text/plain; charset=UTF-8
Cc: "" <>
Subject: Re: [TLS] Channel ID and server load: comment on draft-balfanz-tls-channelid-00
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 23 Oct 2013 15:21:27 -0000

On Tue, Oct 22, 2013 at 1:52 PM, Watson Ladd <> wrote:
> Completely spurious: hardware (or a separate process) does not know
> whether it is being asked to provide
> the ChannelID for a request that is genuine or one that the attacker
> provided after subverting the browser process.

Certainly that's true. However, it limits the attacker to an online
attack: closing the laptop etc stops them. That's a lot better than
the current situation where cookie theft is a significant problem.

Additionally, ChannelID can be extended to an "ignition key" model
where connections need to reprove the presence of the ChannelID every
$n minutes. (That might get the verification load to the point where
batching is useful :)

> There also is a replay attack: a signature of a static string provides
> no liveness

ChannelID signs the handshake which includes an nonce from the server.

> Because of a stupid missing bit, you don't know which of two points
> lead to the r value. If you did know this bit, you could
> make the verification equation an identity in the curve and apply the
> Bos-Coster trick Ed25519 does. I've not come up with
> a way around this issue. Guess and check isn't worth it: it ends up
> costing more than verifying one at a time.

I have not looked into batching ECDSA verifies but [1] seems quite
clear that it's dealing with unmodified ECDSA signatures (paywalled
I'm afraid, but the first two pages are free). They report a speedup
of 2x for batches with multiple signers, which is roughly equal to the
reported speedup for Ed25519 (273K -> 134K cycles).


> Fair enough: I assume P256 is performant enough for the applications
> being imagined, but given
> the constant kvetching about performance, I'm not sure everyone shares
> that. (Then again, they
> kvetch while using interpreted languages...)

I am not terribly happy with the performance implications of ChannelID
either, but we're still exploring our options.