Re: [TLS] Thoughts on TLS 1.3 cryptography performance
Nico Williams <nico@cryptonector.com> Thu, 13 March 2014 06:27 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 940621A08FF for <tls@ietfa.amsl.com>; Wed, 12 Mar 2014 23:27:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.044
X-Spam-Level:
X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8M9fHk9iTvQZ for <tls@ietfa.amsl.com>; Wed, 12 Mar 2014 23:27:05 -0700 (PDT)
Received: from homiemail-a106.g.dreamhost.com (agjbgdcfdbed.dreamhost.com [69.163.253.143]) by ietfa.amsl.com (Postfix) with ESMTP id 8B0721A08DF for <tls@ietf.org>; Wed, 12 Mar 2014 23:27:05 -0700 (PDT)
Received: from homiemail-a106.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a106.g.dreamhost.com (Postfix) with ESMTP id 550DB2005D107 for <tls@ietf.org>; Wed, 12 Mar 2014 23:26:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=ahnjw27iflRJpnzw9bmF uJaXuYQ=; b=e0k6adPyihP4N61YcXC6wKeEVq+f0syiFVo1wWJKq6ms4GuADaj8 4ifMkbz1++1DYmaPRQ2LkUOGEei+eeHVWEr4rnFGd15mdu2ngh0Frl5Xbp+cJUMI 83ABAvVx/dpblLrUP3ssRiQNRe0Ny3vppmn9HBHqO+By93y9+Ap9SSI=
Received: from mail-wi0-f180.google.com (mail-wi0-f180.google.com [209.85.212.180]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a106.g.dreamhost.com (Postfix) with ESMTPSA id 074552005D106 for <tls@ietf.org>; Wed, 12 Mar 2014 23:26:58 -0700 (PDT)
Received: by mail-wi0-f180.google.com with SMTP id hm4so632448wib.1 for <tls@ietf.org>; Wed, 12 Mar 2014 23:26:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Cb9w0LUoyBgZ56arRnwMcxDsLDAgSYgfGArIR8wowyE=; b=k7qirkrwnspceBZh9ZGNPyShYdmeszeVzA92TUenhXHODxPQ5ZwKWkE9wdPMbDDD1b Udq7PFzDMshP/goiJ4t8ZnDkShrYgZm9hjmV2Emc9TqCWgH8hC62A3pLbWdBq/znudpX glmZjb3/nLPuEDogJ0+Rmuqku0vyfelvMhPWji+h4cSMWVMMXT+Lo0pteFnGJQSUG65u e4CiRLuHg2LQfuaC4WA1ILvtF/Oz5qES52YAagnoFuFXhviaVcNDTZih69ZLLMrNjQoH QLmV14nFaIPodrZIKwOSh0pO8RfTmSTpQGPRSXi8grDMfvcSHKXZGAxGQZadrgqv/PT5 CAvQ==
MIME-Version: 1.0
X-Received: by 10.180.77.74 with SMTP id q10mr40664wiw.39.1394692017710; Wed, 12 Mar 2014 23:26:57 -0700 (PDT)
Received: by 10.216.199.6 with HTTP; Wed, 12 Mar 2014 23:26:57 -0700 (PDT)
In-Reply-To: <CACsn0ckVq5wkjsZgV6XrsgA6tU6_6YLKOsJQMivFY59esX1Ywg@mail.gmail.com>
References: <CACsn0ckbrrt0rBsHM+5A_jNK6UvkaiO9mHx6=Jr+jjqy+bZ6MQ@mail.gmail.com> <CAK3OfOj_+RzqPj0LJa=EyeJ5UqSy42z-_kF2tqYYZb=efFEwrQ@mail.gmail.com> <CACsn0ckVq5wkjsZgV6XrsgA6tU6_6YLKOsJQMivFY59esX1Ywg@mail.gmail.com>
Date: Thu, 13 Mar 2014 01:26:57 -0500
Message-ID: <CAK3OfOhzD+D2Tf=1JwzCfPf_m5uWhBj3sVd=UQw8b4fthGt-Bw@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/fxtZ_flRkK_0NRFV1udQQHNH4vE
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Thoughts on TLS 1.3 cryptography performance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Mar 2014 06:27:06 -0000
On Thu, Mar 13, 2014 at 1:12 AM, Watson Ladd <watsonbladd@gmail.com> wrote: > On Wed, Mar 12, 2014 at 9:54 PM, Nico Williams <nico@cryptonector.com> wrote: >> Isn't session resumption with session tickets faster still and >> -provided the insufficiency of binding from resumed to original >> session is fixed- as secure? Ah, you want PFS even on resumption, but >> surely that could be added, and even then the result should still >> perform even better than your proposal. > > The performance gain doesn't work like that. It's not from the client > having seen the g^a before, but that the server doesn't need to sign a > new value every time it does a handshake. The client can avoid > validations if it can remember a global database of public > information, but if not it is only slightly worse off then today in > calculation. Well, but with resumption the signature validation is also optimized away for a while. > By contrast resumption only works if the client maintains some data > that has to be kept secret, and if the server still remembers how to > read the tickets that it handed out. [...] Ah! Thanks, that's the key. It's OK to expect servers to remember how to read their session tickets. As for the need to keep session resumption tickets private on the client side... certainly the client would have to provide integrity protection to any cache of signature validations and server public ECDH keys, but ticket compromise is rather severe: past non-PFS resumptions are compromised and the attacker can impersonate the client in future resumptions regardless of past PFS use. Of course, in your scheme if the client can't protect its local cache then it's subject to some MITM attacks, but that's a much smaller concern. Thanks, Nico --
- [TLS] Thoughts on TLS 1.3 cryptography performance Watson Ladd
- [TLS] Version negotiation (was: Thoughts on TLS 1… Michael D'Errico
- Re: [TLS] Version negotiation (was: Thoughts on T… Eric Rescorla
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Santosh Chokhani
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Watson Ladd
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Nico Williams
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Watson Ladd
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Nico Williams
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Trevor Perrin
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Nico Williams
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Eric Rescorla
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Nico Williams
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Trevor Perrin
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Watson Ladd
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Trevor Perrin
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Eric Rescorla