[TLS] RFC 4492 and HSM
Watson Ladd <watsonbladd@gmail.com> Tue, 22 April 2014 01:01 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB2EE1A0329 for <tls@ietfa.amsl.com>; Mon, 21 Apr 2014 18:01:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wdNqFxwvE7BM for <tls@ietfa.amsl.com>; Mon, 21 Apr 2014 18:01:01 -0700 (PDT)
Received: from mail-yk0-x22f.google.com (mail-yk0-x22f.google.com [IPv6:2607:f8b0:4002:c07::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 8DCC81A00C2 for <tls@ietf.org>; Mon, 21 Apr 2014 18:01:01 -0700 (PDT)
Received: by mail-yk0-f175.google.com with SMTP id 131so4003554ykp.6 for <tls@ietf.org>; Mon, 21 Apr 2014 18:00:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=6E2vnK0mWyqb/NucY1ynnkNJnv9AzvkYZvuDsZEr5Qk=; b=eCjdf+s+31IMeSGV3yVY49KVXjo9GA7VG1PQKSgtBqHQsIMEs82EBNJ88EWnUhga+4 ciN7+bRfcDOsfEnQ0gyCoY50SjLE2ZVcKP1no8UTkTD5chQlqw3iR+CJMMnnoFq4d3UE Fn7iqRtbWTZOo2oZxUhkvt92+5v9ZsL5XZXQSU7wGGC8iG1QCHIOHARmiRFByvVcwb/9 XKh/vt57aezUHdU/FI8pRUlowZQPaXVfSjUvKPhUDb4hO09Ms+CoLxSh9ixOHJRa8m2D 7NJRTuwcddYFG/d+A4AK5+zeHhibhcq2kyA/Jj8NU8vLcWcr29iIUOMn97Mw9+bkbwFr Ec6w==
MIME-Version: 1.0
X-Received: by 10.236.142.204 with SMTP id i52mr56228862yhj.6.1398128456247; Mon, 21 Apr 2014 18:00:56 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Mon, 21 Apr 2014 18:00:56 -0700 (PDT)
Date: Mon, 21 Apr 2014 18:00:56 -0700
Message-ID: <CACsn0c=eV9NODQ8t5N0kjxB4_fC4kz__DH0POvhsd0g3SvGSMg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/cf6iH9arK01Sa0k5IENXIDtFtLo
Subject: [TLS] RFC 4492 and HSM
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Apr 2014 01:01:02 -0000
Dear all, RFC 4492 specifies an ECDSA signature of the server's curve parameters and ephemeral point, but not any fresh data. As a result the ephemeral exponent is equal in sensitivity to the long-term exponent of the ECDSA key, forcing an HSM to protect both, and thus do three exponentiations per connection. If an HSM has limited signing power compared to the CPU of the machine it is attached to this is a real limitation. An extra layer of indirection, in which a time limited key is signed by the certificate, avoids this issue, but is not currently supported if I'm reading everything correctly. Triple-DH handshakes partially mitigate this issue, reducing the online impact to one exponentiation per connection. If this wrinkle doesn't get ironed out I'm not terribly unhappy. But if we are going to do major surgery on the PRF and related things, the ECDHE handshake is exposed anyway. Sincerely, Watson Ladd
- [TLS] RFC 4492 and HSM Watson Ladd
- Re: [TLS] RFC 4492 and HSM Daniel Kahn Gillmor
- Re: [TLS] RFC 4492 and HSM Watson Ladd