[TLS] How to reduce number of verifications

Watson Ladd <watsonbladd@gmail.com> Tue, 03 March 2015 06:03 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 5420D1A0155 for <tls@ietfa.amsl.com>; Mon, 2 Mar 2015 22:03:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id CrfrY7EI3IzD for <tls@ietfa.amsl.com>; Mon, 2 Mar 2015 22:03:42 -0800 (PST)
Received: from mail-yh0-x232.google.com (mail-yh0-x232.google.com [IPv6:2607:f8b0:4002:c01::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E807A1A0154 for <tls@ietf.org>; Mon, 2 Mar 2015 22:03:41 -0800 (PST)
Received: by yhoc41 with SMTP id c41so386629yho.13 for <tls@ietf.org>; Mon, 02 Mar 2015 22:03:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=MPioH7HESdzI2KxpJGiLuj3xTf2uc8+jbe7sY0wK6CQ=; b=KiXxuywQq5NJlnoQY0460/etpBmzZp6zadgUEO+vOrQD/UaUHQypgBJp3JkGpoNQxn FwFpSXMj5Yb01WhnbHW1Yuw7v50dWkWCyWyWObJuvZ8IUf3FIsHuds7J0e/Iomhg2XVw 7srW5m2zfXzsdyXh10eHtYlSRfbHNMcByaNSS5UHeXqhoRL2YjXf98vRnisu36tkczZl YCZDVl8TknvENEHHnLrbT8bt495u2dSrGKxBTo5Bq1fMx2EU9dIFPbdeJi4DflB1lqSW daUFHC5qHOMYesB3yKNSBUX6ASRWolQfUVtPgdP91nBDCTtvyjqPSB3MJy7xOabQYQCm 1vew==
MIME-Version: 1.0
X-Received: by with SMTP id m188mr32085379ykf.58.1425362621195; Mon, 02 Mar 2015 22:03:41 -0800 (PST)
Received: by with HTTP; Mon, 2 Mar 2015 22:03:41 -0800 (PST)
Date: Mon, 02 Mar 2015 22:03:41 -0800
Message-ID: <CACsn0ckUSeN2r=bZpXc-CQYBW1NpoRe9bEAtOJCkJQy6K8+UsQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/aVox6rF6kfxzJVKsH6z0OmCtvuY>
Subject: [TLS] How to reduce number of verifications
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Mar 2015 06:03:43 -0000

Dear all,

Right now it looks like browsers will need to conduct a lot of
signature verifications. First, they will need to verify the
certificate chain. Second, they will need to validate OCSP. Thirdly,
they will need to validate CT records, when Certificate Transparency
is deployed.

Most of these signatures are not online. All of them can safely be
done with currently deployed RSA 2048, or a 255 bit elliptic curve.
None of them require more security, as future cryptanalysis cannot
affect today's authentication.

We should consider carefully studying which combinations of algorithms
for which signatures will provide the most performance, as well as how
we can minimize the number of verifications that will take place. I've
not done that much in this direction: it comes down to the marginal
cost of batch verification of Schnorr-like schemes vs. straight RSA
verification when we don't have online signing.

Watson Ladd