Re: [TLS] Straw poll on draft-ietf-tls-ecc-*
Bodo Moeller <bmoeller@eecs.berkeley.edu> Thu, 30 September 2004 02:10 UTC
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA14116; Wed, 29 Sep 2004 22:10:49 -0400 (EDT)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CCqXN-0001KG-T4; Wed, 29 Sep 2004 22:19:18 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CCqMO-0004Ix-U9; Wed, 29 Sep 2004 22:07:56 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CCqBa-0000zY-QY for tls@megatron.ietf.org; Wed, 29 Sep 2004 21:56:46 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA13143 for <tls@ietf.org>; Wed, 29 Sep 2004 21:56:44 -0400 (EDT)
Received: from moutng.kundenserver.de ([212.227.126.190]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CCqJj-00012j-Qu for tls@ietf.org; Wed, 29 Sep 2004 22:05:12 -0400
Received: from [212.227.126.206] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CCqBY-0003dF-00 for tls@ietf.org; Thu, 30 Sep 2004 03:56:44 +0200
Received: from [128.32.153.61] (helo=tau.local) by mrelayng.kundenserver.de with asmtp (Exim 3.35 #1) id 1CCqBY-0005yD-00; Thu, 30 Sep 2004 03:56:44 +0200
Received: from eecs.berkeley.edu (localhost [127.0.0.1]) by tau.local (Postfix) with ESMTP id 57B4D2D616; Wed, 29 Sep 2004 18:56:00 -0700 (PDT)
Message-ID: <415B67B0.80500@eecs.berkeley.edu>
Date: Wed, 29 Sep 2004 18:56:00 -0700
From: Bodo Moeller <bmoeller@eecs.berkeley.edu>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20021204
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: tls@ietf.org
Subject: Re: [TLS] Straw poll on draft-ietf-tls-ecc-*
References: <20040928231022.9FCD1717F@sierra.rtfm.com>
In-Reply-To: <20040928231022.9FCD1717F@sierra.rtfm.com>
X-Enigmail-Version: 0.71.0.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:2100a517a32aea841b51dac1f7c5a318
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a87a9cdae4ac5d3fbeee75cd0026d632
Content-Transfer-Encoding: 7bit
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Sender: tls-bounces@ietf.org
Errors-To: tls-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 6d95a152022472c7d6cdf886a0424dc6
Content-Transfer-Encoding: 7bit
Eric Rescorla wrote: > This is a Straw Poll in the fate of draft-ietf-tls-ecc-*. [...] > This Straw Poll will run for the next week (through Tuesday > October 5th.) Please register your opinion by then, either > to me or to the list. I vote for option A ("Advance draft-ietf-tls-ecc-* to Proposed Standard"). My reasons include: * IPR: I don't buy the claim "Clearly, ECC is a patent minefield" made in <20040928230824.D41B1717F@sierra.rtfm.com> (http://www.imc.org/ietf-tls/mail-archive/msg04342.html). I am, of course, well aware of the wide-spread *perception* that ECC was a patent minefield. But clearly, there is a lot of prior art preceding any known ECC patents; I cited some of it in <4133DE21.7060306@eecs.berkeley.edu> (http://www.imc.org/ietf-tls/mail-archive/msg04309.html). There are actually no more patent issues to worry about for elliptic curves with ECDH or ECDSA than for conventional DH and DSA, unless you are specifically using certain new patented techniques (which often involve special classes of curves that you wouldn't normally run into unless you are determined to). Some think that the S/MIME ECC RFC 3278, "Use of Elliptic Curve Cryptography (ECC) Algorithms in Cryptographic Message Syntax (CMS)" (April 2002), which is Informational, sets an example that the TLS ECC RFC should follow. But actually RFC 3278 uses the MQV protocol which is clearly patented, whether with or without elliptic curves; so I acknowledge that there was a good reason to make RFC 3278 Informational for IPR reasons. This reason does not affect the current TLS ECC draft: draft-ietf-tls-ecc-06.txt does not use MQV (early revisions did, but the specification has since been changed so that it avoids this patent-encumbered technique). There's one thing specified in draft-ietf-tls-ecc-06.txt that requires a patented technique: The draft specifies the use of point compression, as a "MAY". Uncompressed points are the default and a "MUST" (TLS extensions are used to negotiate whether point compression is permissible, so support of point compression cannot affect interoperability, just efficiency). Point compression is affected by patents just in the case of curves over characteristic-2 fields; there's no problem for prime fields. * Technical: One of the advantages of elliptic curve cryptography is that its expected security is better than that of RSA or conventional DH. This is a somewhat fuzzy statement; more precisely, we know that attacks against RSA and DH have subexponential complexity, while attacking ECC requires exponential time (around 2^k steps for ECC over (2k)-bit fields). If 1024-bit RSA remains secure in practice, this is not much to worry about; but we cannot be sure of this (for example, Dan Bernstein is working on efficient factorization circuits, see http://cr.yp.to/talks/2004myths2.pdf and elsewhere; he is going to announce results in February 2005 at the SHARCS conference). Increasing keylengths to improve security has a more noticeable effect on performance for RSA and DH than for ECC (with its exponential complexity of known attacks). Currently (i.e. in the light of just those attacks that are already known to be practical), there's a performance argument in favor of ECC in particular if you want forward secrecy: To create symmetric keys that cannot be recovered by someone who obtains a warrant or just breaks in without asking anyone first to obtain your long-time server key, TLS can used either Diffie-Hellman (with the ciphersuites specified in RFC 2246 and the rfc2246-bis draft) or elliptic curve Diffie-Hellman (ECDH, with the ciphersuites specified in the the TLS ECC draft). Depending on the nature of the content that you are protecting with TLS, forward secrecy may not matter; in particular, it is a waste of time if you are using TLS mainly for authentication and don't worry about the possibility that someone might be able to decrypt the TLS sessions after the fact. But when forward secrecy is desired, having ECDH available certainly is a plus. And of course, there's the potential possibility that RSA might turn out to be insecure when new attacks are discovered. In this case it is good to have an alternative ready to switch to. I am too optimistic to really worry about this, so I am mostly listing this additional argument for completeness. It should be noted that ECC support for TLS has been available in open source software implementations for a while (since 2002): both mozilla.org and OpenSSL have it in appropriate revisions. So when we are discussing the TLS ECC draft, we are not talking about vaporware or about a specification that would only be used by rare commercial products. This is something that would be available for everyone to use without much of a hassle. (You just wouldn't get point compression for characteristic-2 fields unless you license the appropriate patent, but that's a small loss.) _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Straw poll on draft-ietf-tls-ecc-* Eric Rescorla
- Re: [TLS] Straw poll on draft-ietf-tls-ecc-* Bodo Moeller
- Re: [TLS] Straw poll on draft-ietf-tls-ecc-* Vipul Gupta
- RE: [TLS] Straw poll on draft-ietf-tls-ecc-* Pasi.Eronen
- Re: [TLS] Straw poll on draft-ietf-tls-ecc-* Hovav Shacham
- Re: [TLS] Straw poll on draft-ietf-tls-ecc-* Bodo Moeller
- Re: [TLS] Straw poll on draft-ietf-tls-ecc-* Tim Dierks
- Re: [TLS] Straw poll on draft-ietf-tls-ecc-* Bodo Moeller
- Re: [TLS] Straw poll on draft-ietf-tls-ecc-* Tim Dierks
- [TLS] NIST recommendations for TLS Anton Stiglic
- Re: [TLS] Straw poll on draft-ietf-tls-ecc-* Bodo Moeller