Re: [TLS] Should we use proof-of-possession rather than signatures?
Hugo Krawczyk <hugo@ee.technion.ac.il> Tue, 24 November 2015 20:28 UTC
Return-Path: <hugokraw@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23C1D1A8981 for <tls@ietfa.amsl.com>; Tue, 24 Nov 2015 12:28:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ffuYfJkq-Mvn for <tls@ietfa.amsl.com>; Tue, 24 Nov 2015 12:28:06 -0800 (PST)
Received: from mail-lf0-x234.google.com (mail-lf0-x234.google.com [IPv6:2a00:1450:4010:c07::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB69C1A897F for <TLS@ietf.org>; Tue, 24 Nov 2015 12:28:05 -0800 (PST)
Received: by lfs39 with SMTP id 39so34224947lfs.3 for <TLS@ietf.org>; Tue, 24 Nov 2015 12:28:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=WSb2L9/Eo/vCOVWkoUEw/lRQDUpkMg2dFk56pRorBI8=; b=tpLFlT80tyvxtzUlliG40DEgVzUM9Fgle6fL90t/H0sypuU/vpqVYpCLXnaZFRpqqV DrHQ3xsug7OaEhRE++YC91lHLcr2cDGkCnkcwjt0mou1IGyqTvJWg7nvS1SKgw/Tivl2 WOifNQ2pPW71d+waP8tWjEX2QUumXsq8SccKR3vXqO+asP2aUWVVsGGbixNM99bBKEyn akxdN1f5pLNkhgiZRZo5MkL3vJctxqwE/OVP4EkBlVGBxNbCCBVJFEGFNdf9apfkOqz3 D9KO9qQO3Gl6vCGBNiGy0E7wwwP+a9xBhQuw9CVaPdUiys+xUylrawfHcSvd34nHLXpG Ewhg==
X-Received: by 10.112.16.135 with SMTP id g7mr14768828lbd.80.1448396883971; Tue, 24 Nov 2015 12:28:03 -0800 (PST)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.25.168.210 with HTTP; Tue, 24 Nov 2015 12:27:34 -0800 (PST)
In-Reply-To: <689E730F-63D4-4D64-B678-D5A701983146@shiftleft.org>
References: <CAH9QtQEwXBYapbNb5FC0=yOHJ_brmx+P0_6ODoWP-wQOQW=oMg@mail.gmail.com> <CABcZeBOk0mXFAHR_LFvN0CjuH3TuiMpOB5YossX+3oPMMx-aaQ@mail.gmail.com> <689E730F-63D4-4D64-B678-D5A701983146@shiftleft.org>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Tue, 24 Nov 2015 15:27:34 -0500
X-Google-Sender-Auth: z2TpMs0_Sw1T8fIpGm0mGPKty0A
Message-ID: <CADi0yUPtprXrczVPDObj8MQd9tnXMysepbFNA=whrJV=H1E65w@mail.gmail.com>
To: Mike Hamburg <mike@shiftleft.org>
Content-Type: multipart/alternative; boundary="001a11c3c778c3555d05254f2d15"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/w7PAZtYOzCdYezCzpsPOt5Id2JE>
Cc: "tls@ietf.org" <TLS@ietf.org>
Subject: Re: [TLS] Should we use proof-of-possession rather than signatures?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2015 20:28:09 -0000
On Tue, Nov 24, 2015 at 12:53 PM, Mike Hamburg <mike@shiftleft.org> wrote: > > > Sent from my phone. Please excuse brevity and typos. > > On Nov 24, 2015, at 09:01, Eric Rescorla <ekr@rtfm.com> wrote: > > > On Tue, Nov 24, 2015 at 8:25 AM, Bill Cox <waywardgeek@google.com> wrote: > >> Much of the world seems to have switched to Schnorr-signature inspired >> ECC signature schemes such as ECDSA-P256 and Ed25519. These schemes are >> very fast, but require two point multiplications to do a Schnorr-style >> verification. A simpler proof-of-possession can be verified with only one >> point multiplication. >> >> The server authentication scheme used in QUIC is for the server to prove >> possession of the static key when it encrypts the new ephemeral key share. >> The trick is to take advantage of the key shares that have already been >> computed. The client has already computed its ephemeral keyshare, and the >> server just uses its static keyshare from the server config. The >> CertificateVerify message could be generated by the server computing the >> ECDHE shared secret between its static secret and the client's ephemeral >> keyshare, and then encrypt of the client random as it's proof. >> > > This is insecure. You need to MAC the whole handshake, especially the > server ephemeral. > > The client verifies the proof by decrypting the nonce. As with Schnorr >> signatures, creating the proof takes only one multiply: in this case the >> server multiplies the client's keyshare by it's static keyshare secret. >> Instead of having to do two scalar point multiplications, the client only >> has to multiply the server's static keyshare by its ephemeral keyshare >> secret. The proof is also smaller: 32 bytes vs 72 for ECDSA-P256. >> > > The size advantage of proof of possession is significant if the server > actually has a DH cert, one for the same group as the client's ephemeral. > > This is a sort of complicated question. > > In general, servers have signature keys, not static DH keys. QUIC bridges > this by > having the server generate an offline signature over a static DH key, but > TLS explicitly > rejected this as a generic approach because of concerns about the impact > of producing > a long-term delegated credential, especially if generic TLS credentials > could be used to > do so (see the extensive discussion on the list a while back on the > mailing list as well > as [0]). So, the current design requires the server to prove present > possession of the > signing key, not just that it possessed it at some point. > > It's correct that demonstrating proof of possession of a long-term DH > share is > somewhat faster than signatures. There are two potential ways to do this > with > TLS while retaining the guarantees above: > > > Correct-ish. For example, the current implementation of ed448 takes 463k > skylake cycles (new cpu, top of the chart, I'm on a phone, sorry) to > compute ecdh, which would need to happen twice. But it takes 162kcy to sign > and 509k to verify, for a total of 671k vs 926k. Signing favors the server > while double DH favors the client; there are good reasons to go in either > direction in this. > > Presumably the two server scalar multiplications could be combined with > dual Shamir's trick, at which point double DH would be slightly faster than > sigs, but I don't have an implementation of that lying around. There is > also a different calculation if the client has precomputed a table from the > server's static key, but nobody does that and I'd guess the results are > similar anyway. > > Proof of possession is a bigger win if you go with MQV. > > 1. Issue DH (or probably ECDH) certificates. > 2. Have a certificate extension that indicates that the certificate can be > used > for offline signatures (following a suggestion by Hugo Krawczyk) > > The general sense of the WG is that while these are both good ideas, ECC > is now > so fast that they can be pursued separately rather than in the critical > path. If you're > interested in working on that, it would be great to get someone on it, so > please > contact me or the chairs offline :) > > > I agree that the speed and size savings are not necessarily worth the > complexity. If we were rolling a new protocol from scratch they probably > would be though. > The all-DH-based solution, with DH certificates, does not add complexity but rather simplifies the protocol and analysis, and opens the option of more efficient protocols (e.g. MQV-like ones). But the world does not seem ready to depart from the beloved signature certificates. Hugo > > > >> This proof-of-possession is not a digital signature, since it can only be >> used to prove to the client that the server possesses the static private >> key. However, I don't see any reason to create a full digital signature. >> Is there any? >> > > See above. In addition, because the signature covers the entire handshake > transcript, it provides some defense against downgrade in cases where the > weakest common group is weaker than the server's signing key. > > > Agreed. It's also clearer how to combine this with postquantum key > exchange, though proof of possession should be fine if you're also using > DHE. > > Cheers, > -- Mike > > -Ekr > > [0] See also: > http://www.nds.rub.de/media/nds/veroeffentlichungen/2015/08/21/Tls13QuicAttacks.pdf > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
- [TLS] Should we use proof-of-possession rather th… Bill Cox
- Re: [TLS] Should we use proof-of-possession rathe… Eric Rescorla
- Re: [TLS] Should we use proof-of-possession rathe… Mike Hamburg
- Re: [TLS] Should we use proof-of-possession rathe… Eric Rescorla
- Re: [TLS] Should we use proof-of-possession rathe… Michael Hamburg
- Re: [TLS] Should we use proof-of-possession rathe… Hugo Krawczyk
- Re: [TLS] Should we use proof-of-possession rathe… Michael Hamburg
- Re: [TLS] Should we use proof-of-possession rathe… Bill Cox
- Re: [TLS] Should we use proof-of-possession rathe… Eric Rescorla
- Re: [TLS] Should we use proof-of-possession rathe… Bill Cox