Re: [TLS] Deprecating more (DSA?)
Bill Frantz <frantz@pwpconsult.com> Sat, 19 April 2014 23:17 UTC
Return-Path: <frantz@pwpconsult.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 963F01A008A for <tls@ietfa.amsl.com>; Sat, 19 Apr 2014 16:17:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3vCJC8NWv9wP for <tls@ietfa.amsl.com>; Sat, 19 Apr 2014 16:17:07 -0700 (PDT)
Received: from elasmtp-junco.atl.sa.earthlink.net (elasmtp-junco.atl.sa.earthlink.net [209.86.89.63]) by ietfa.amsl.com (Postfix) with ESMTP id F423B1A00B2 for <tls@ietf.org>; Sat, 19 Apr 2014 16:17:06 -0700 (PDT)
Received: from [174.252.33.205] (helo=Williams-MacBook-Pro.local) by elasmtp-junco.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from <frantz@pwpconsult.com>) id 1WbeVI-0006XH-SK; Sat, 19 Apr 2014 19:17:01 -0400
Date: Sat, 19 Apr 2014 16:17:00 -0700
From: Bill Frantz <frantz@pwpconsult.com>
To: Watson Ladd <watsonbladd@gmail.com>
X-Priority: 3
In-Reply-To: <CACsn0cm9-V9eGZxPprCU81SLuXg5wpRqmwqLUZ54V0XBKS+9Dg@mail.gmail.com>
Message-ID: <r422Ps-1075i-877EECC2FE574FE98F12210F9102F3F4@Williams-MacBook-Pro.local>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Mailsmith 2.3.1 (422)
X-ELNK-Trace: 3a5e54fa03f1b3e21aa676d7e74259b7b3291a7d08dfec7953dfa3f948be7a31f2d292e02d531489350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 174.252.33.205
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/R2XwUlO2b0HmNJnpmACPTpHUEqA
Cc: tls@ietf.org
Subject: Re: [TLS] Deprecating more (DSA?)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Apr 2014 23:17:12 -0000
On 4/19/14 at 10:44 AM, watsonbladd@gmail.com (Watson Ladd) wrote: >On Sat, Apr 19, 2014 at 8:55 AM, Bill Frantz <frantz@pwpconsult.com> wrote: >>The other use case to always keep in mind is limited performance devices. >>With the Internet of Things, we will continue to see new 8 bit, and possibly >>even 4 bit processors as manufactures drive in the direction of the small, >>low power, and cheap. These devices will be much safer if they have >>authentication and replay protection. While secrecy is probably not as >>important, it might also be vital in certain applications of these devices. > >So AES-CCM fixes one issue (the wire PDU), but we really, really, need >a hash for the handshake. These devices also might not even have >random number generators that aren't deterministic or a counter to >avoid replays. There's a lot to be done: benchmarking, thinking hard >about protocol problems that might cause issues, determining what we >can and cannot provide. One way to address the random number problem is to use the protocol that most web sites used with SSL. In that protocol, the client generated the random number and encrypted it with the server's public key. With the Internet of Things (IoT), having the controller end, which usually has a UI and lots of opportunity to generate good, unguessable numbers, generate the random number and the "thing" accept it might work well. A way to be agnostic about which was the client and which was the server is a protocol where if either end had good unguessable numbers, the resulting connection was secure would be nice. Getting perfect forward security in this environment might be hard. >From some cursory research, hash functions are the real issue here. >AES is byte-oriented, but Keccak is slow as molasses at big capacities >sans SIMD. SHA-256 and friends all use 32 bit addition. Anyone got AVR >benchmark data? We should think about the performance requirements here. If I am instructing my Nest thermostat to warm up the house because i'm coming home, several seconds is more than acceptable. If I am building a light show for the bulbs in my living room, probably 1/10 of a second is acceptable, and 1/100 of a second is certainly good enough. >... > >With ECC life can get interesting. Drop the idea of RSA and DHE over >F_p: too slow. 8 bit saturated arithmetic is probably the best. >Timings are pretty slow: lots of verifications are a terrible idea. >With PSK you don't need any of this, but I think that some embedded >CPUs have the horsepower to do ECC, even at 8 bits. Make sure that >this happens rarely, i.e. mostly static keys so results can be cached, >and I think we are good. Due to memory pressure ladders are great. Hmmm, my first read had ECC as Error Correction Codes but the paragraph reads a lot better if I read Elliptic Curve Cryptography. :-) When we look at these processors, although the slower the clock, the less power required, there is a limit. If we run the clock much below 1 MHz, we have reached the point of seriously diminishing returns. 100 MHz is much more realistic. Since Elliptic Curve Cryptography gives more security/cycle than discrete logs, it is a very attractive technology. >I've never seen a 4 bit micro. Anyone got details on what they are >like and can do? Look up the Intel 4004 for an early example. I don't know we will see the 4 bit wide ALUs again, but the drive for low cost, low power, and cheap is certainly still alive and well. Cheers - Bill ----------------------------------------------------------------------- Bill Frantz | "The only thing we have to | Periwinkle (408)356-8506 | fear is fear itself." - FDR | 16345 Englewood Ave www.pwpconsult.com | Inaugural address, 3/4/1933 | Los Gatos, CA 95032
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Matt Caswell
- [TLS] Deprecating RC4 (was: draft-ietf-tls-encryp… Eric Rescorla
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Martin Thomson
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Kurt Roeckx
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Daniel Kahn Gillmor
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Peter Yee
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Andrei Popov
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Stephen Checkoway
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Yoav Nir
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Geoffrey Keating
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Jim Schaad
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Manuel Pégourié-Gonnard
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Johannes Merkle
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Stephen Farrell
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Richard Hartmann
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Yoav Nir
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Warren Kumari
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Eric Rescorla
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Martin Rex
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Martin Thomson
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Martin Rex
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Watson Ladd
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Bill Frantz
- [TLS] Deprecating more (DSA?) (was Re: Deprecatin… Hanno Böck
- Re: [TLS] Deprecating more (DSA?) (was Re: Deprec… Yoav Nir
- Re: [TLS] Deprecating more (DSA?) (was Re: Deprec… Hanno Böck
- Re: [TLS] Deprecating more (DSA?) (was Re: Deprec… Daniel Kahn Gillmor
- Re: [TLS] Deprecating more (DSA?) (was Re: Deprec… Hanno Böck
- Re: [TLS] Deprecating more (DSA?) (was Re: Deprec… Tom Ritter
- Re: [TLS] Deprecating more (DSA?) Alyssa Rowan
- Re: [TLS] Deprecating more (DSA?) Joseph Salowey (jsalowey)
- Re: [TLS] Deprecating more (DSA?) Watson Ladd
- Re: [TLS] Deprecating more (DSA?) Alyssa Rowan
- Re: [TLS] Deprecating more (DSA?) Johannes Merkle
- Re: [TLS] Deprecating more (DSA?) Brian Sniffen
- Re: [TLS] Deprecating more (DSA?) Bill Frantz
- Re: [TLS] Deprecating more (DSA?) Watson Ladd
- Re: [TLS] Deprecating more (DSA?) Samuel Neves
- Re: [TLS] Deprecating more (DSA?) Bill Frantz