IETF Logo Mail Archive

Re: [TLS] Should we use proof-of-possession rather than signatures?

Bill Cox <waywardgeek@google.com> Tue, 24 November 2015 22:31 UTC

Return-Path: <waywardgeek@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A06B21A90B0 for <tls@ietfa.amsl.com>; Tue, 24 Nov 2015 14:31:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.363
X-Spam-Level:
X-Spam-Status: No, score=-1.363 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_34=0.6, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cdux7fNCpsAJ for <tls@ietfa.amsl.com>; Tue, 24 Nov 2015 14:31:08 -0800 (PST)
Received: from mail-io0-x22f.google.com (mail-io0-x22f.google.com [IPv6:2607:f8b0:4001:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB4CA1A90AD for <TLS@ietf.org>; Tue, 24 Nov 2015 14:31:08 -0800 (PST)
Received: by iouu10 with SMTP id u10so36373457iou.0 for <TLS@ietf.org>; Tue, 24 Nov 2015 14:31:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=DBPrUAlAUHHAp2vEv414hF50Ef4V7qZpF/dv7TRypLk=; b=FwcXIzd9nICloS9nisd+O8kLm2WI8jAVtBYX/7En5lA1jsXEMDiyg8cW4Jh22+qZxl W7KgKTY2jnRzy42f+ZXgqh637MqcSlfRsJPTvyb6YxZzdt6DZuUJKUgbHcdiisPliW4m XJixtZ0Uwx+j2mzChU0iEUo6BOs+lWsFzB34Ibe3J5XsykwfMZ0PSHE3GH+HtbjebAKX 0eXagZ4NVF/X59C/EiXnhoBYaVbEHkRJW6S6rOXhMjgt/rV9sAKZG1n1og2JhhtsLjT4 3luvRbQqIr81c3rWxHGb2pLTgOVxbGyzVBtZJq+djpAu90LxVd/9Us8vlPq7+OohsCP1 XB+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=DBPrUAlAUHHAp2vEv414hF50Ef4V7qZpF/dv7TRypLk=; b=JOqRc0fXjIJsEHH0w3PNhlvgXjodKAcqOewHuNmudLzozdiTDzo5GFpCTDkRyjdnP7 VkPNixiW8TR3QtB3e3nxHa2xEVoPYTuyiDMXX7XzDQs0TLIITvl3RDhxsOo/6SycWKQ4 tzLhvOvSVZ30v3KPN3VNdZRApSwcHwIiX6P8x7D0myCQtVgBs3lENrUj2eHHCqvJOcOZ hKdUUjT+tuMT/+pnVdOZBiINaVXlehoQeJJTLS/bxIwJYeXJHBnf/RY1KWBRPlakli3c 67vog36I87DK/WQsb9vv4Mg2uPrjBWLhIVvY+WTGfZppgxCtqND995/Ou5iil9cT6Nr9 kyBQ==
X-Gm-Message-State: ALoCoQmE+fl8+e0FSoVlI7cjbFPvD6xNBTOQve9iLZzdm8oUoW8fxYvqtZXGf4H4eXj4t5CcZSyH
MIME-Version: 1.0
X-Received: by 10.107.25.81 with SMTP id 78mr35513251ioz.127.1448404261572; Tue, 24 Nov 2015 14:31:01 -0800 (PST)
Received: by 10.107.173.15 with HTTP; Tue, 24 Nov 2015 14:31:00 -0800 (PST)
In-Reply-To: <727C6597-F386-4349-B334-6D8442354F1E@shiftleft.org>
References: <CAH9QtQEwXBYapbNb5FC0=yOHJ_brmx+P0_6ODoWP-wQOQW=oMg@mail.gmail.com> <CABcZeBOk0mXFAHR_LFvN0CjuH3TuiMpOB5YossX+3oPMMx-aaQ@mail.gmail.com> <689E730F-63D4-4D64-B678-D5A701983146@shiftleft.org> <CADi0yUPtprXrczVPDObj8MQd9tnXMysepbFNA=whrJV=H1E65w@mail.gmail.com> <727C6597-F386-4349-B334-6D8442354F1E@shiftleft.org>
Date: Tue, 24 Nov 2015 14:31:00 -0800
Message-ID: <CAH9QtQFC9s5_jv+i3N5g894dt98c7zP31hjtR8MwQPuE6kHn4g@mail.gmail.com>
From: Bill Cox <waywardgeek@google.com>
To: Michael Hamburg <mike@shiftleft.org>
Content-Type: multipart/alternative; boundary="001a113ff00a838a4e052550e588"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/XGEmXhfpOZQl022fuwsI1fG8H8U>
Cc: "tls@ietf.org" <TLS@ietf.org>
Subject: Re: [TLS] Should we use proof-of-possession rather than signatures?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2015 22:31:10 -0000

On Tue, Nov 24, 2015 at 1:25 PM, Michael Hamburg <mike@shiftleft.org> wrote:

> I agree for new protocols, but the proposal for TLS isn’t all-DH.  It’s
> allowing both all-DH and DHE+sign.  That’s more complex than just allowing
> DHE+sign.  But I suppose the difference in TLS as proposed is really just
> putting a DH+MAC in CertificateVerify instead of a signature, which isn’t a
> complicated difference.
>
> Sorry to be negative.  I really do like all-DH for simplicity, compactness
> and speed, especially if IP-encumbered algorithms are available.  I’m not
> against its inclusion in TLS if others think it’s worth the complexity of
> adding another option.  But I’m grumpy because this thread started with an
> insecure proposal justified using incorrect numbers.
>

I need to remember not to skip details when writing to this group :)  Yes,
encrypting a handshake digest is the right thing to do, not the client
random.  I normally leave out this detail in discussions to simplify making
my point.  I'll see if I can correct some numbers below.  Also, that was an
awesome attack in the paper linked to above.  Clearly, this is tricky
territory to make changes securely!

I think latency is more important than CPU overhead or whether the latency
happens at the client or server.  Since servers have well managed
computation capability, it may be best to favor server-side latency, where
it can be managed and minimized, vs client latency which can vary much more.

Just looking at TLS 1.3 1-RTT mode handshake (0-RTT does not use
CertificateVerify), the latency looks like this:

- First flight from client to server: 0 overhead, since ephemeral keyshare
can be precomputed
- First flight from server to client: 1 shared key derivation, in parallel
with signing
- Second flight from client to server: 1 shared key derivation in parallel
with verification

At least for Ed25519 and ECDSA-P256, signing is faster than shared key
derivation, which is faster than signature verification.  So, the latency
is 1 shared key derivation + 1 signature verification.  The median values
for Skylake using curve25519/Ed25519 are, in cycles:

keyshare computation: 150690
shared secret derivation: 143338
signing: 48990
verify signature: 161488

If we take full advantage of parallelism, the latency is 304,862 cycles.
If instead we used ECC DH everywhere, it would be 2 keyshare computations =
286676 cycles.  There would only be about a 6% improvement, which is hard
to get excited about.  Also, on some other curves it could be slower,
rather than faster.

AFAIK, OpenSSL and most other TLS libraries do not use multiple threads,
and will not take advantage of the available parallelism to reduce
latency.  At first glance, it looks like there is significant opportunity
here, but I know the coders involved in this code base are among the best
in the world.  There is zero chance they decided to avoid pthreads without
some pretty good reasons (cross-platform compatibility?).  I bet the
ephemeral keyshares are also not precomputed.

Without multiple threads, the 1-RTT handshake takes 2 keyshare computations
+ 2 shared key derivations + 1 sign + 1 verify = 798534 cycles.  With ECC
DH based proof-of-possession, it would be 2 keyshare computations + 4
shared key derivations = 874732 cycles, worse than with the current signing
scheme.

>From the paper, it sounds like using delegated keys currently has some
unanticipated security problems, at least in the near term while we
continue to accept incorrectly padded RSA based certs.  Would Hugo's
suggestions for extending certificates address weaknesses due to delegated
keys, and allow DH keyshares to be used for proof-of-possession, and
possibly MQV?  If so, it sounds like a valuable upgrade.

Thanks,
Bill

v2.23.0 | Report a Bug | By Email