Bringing Elliptic Curve Cryptography into the Mainstream
-
Upload
nick-sullivan -
Category
Technology
-
view
874 -
download
0
Transcript of Bringing Elliptic Curve Cryptography into the Mainstream
Elliptic Curve CryptographyBringing it to the mainstream
Stanford Security Lunch November 4, 2015
Nick Sullivan @grittygrease
DNS
HTTP
HTTPSThe “S” stands for TLS
HTTPS Adoption (2013)• 2,545,693 valid RSA 2048-bit certificates
Analysis of the HTTPS Certificate Ecosystem, Durumeric, Kasten, Bailey, Halderman (2013)
• Zero valid ECDSA certificates
9
CloudFlare Reverse Proxy
10
11
CACloudFlare
CloudFlare Edge DNS
CSR
TXT?
Proof
TXT?
Proof
Certificate
Proof
Goal
Enable HTTPS by default for ~2 million free
customers12
Issue: Scale
~30 Trillion Requests/Day
13
What is expensive in TLS?• Private key Operations
• Bulk encryption
14
Bulk Encryption• Basically free with modern Intel processors
• AES-GCM on Haswell is ~1 cycle per byte
15
Private Key Operations• Orders of magnitude slower than symmetric crypto
• RSA ~2,000,000 cycles per signature on Haswell
• ~500 Quadrillion Cycles/Day
16
We can do better• Session resumption (~33%)
17
ECDSAElliptic Curve Digital Signature Algorithm
ECDSA• Digital signature algorithm based on elliptic curve crypto
• Widely studied, no sub-exponential discrete logarithm
• Standardized NIST Curves (P256, P384, P521)
• NSA Suite B (Secret and Top Secret)
19
EQUATIONS!!!
20
ECDSA Advantages• Smaller keys (256bit EC ~ 3072bit RSA)
• Faster signatures (~800K vs 2M)
• Vlad Krasnov improved to ~375K by using x86_64 asm
• Merged into OpenSSL, Golang
• Saves 300 Quadrillion Cycles/Day (given 100% HTTPS)
21
ECDSA Downsides• Slower signature verification
• Less ubiquitous
• Roots were added in
• Some systems don’t support ECDSA (Android 2, Windows XP)
• Patent encumbrances
• Not quantum-safe: subject to Shor’s algorithm
22
Universal SSL• Free ECDSA certificates for all customers
• HTTPS enabled by default
• Total number of HTTPS sites is up by over 2 million
• SNI-only so scans undercount
23
What about DNS?
24
Authoritative Servers
25
Cache Poisoning (Kaminsky’s attack)
26
Resolver AuthoritativeServer
Q: what is the IP address of cloudflare.com
A: 198.41.213.157
A: 6
.6.6
.6
A: 6
.6.6
.6 A: 6.6.6.6
A: 6.6.6.6A: 6.6.6.6
A: 6.6.6.6A: 6.6.6.6
Man-in-the-middle
27
ResolverAuthoritative
Server
Q: what is the IP address of cloudflare.com
A: 198.41.213.157A: 6.6.6.6
DNSSEC signature verification
28
Aexample.com. A RRSIG
example.com.DNSKEY KSKexample.com.
DNSKEY KSK .
Verisign
Authoritative(i.e. CloudFlare)
ICANN
DSexample.com.
DScom.
Root Key
DNSKEY ZSKexample.com.
DNSKEY RRSIGexample.com.
DS RRSIGcom.
DNSKEY KSKcom.
DNSKEY ZSKcom.
DNSKEY RRSIGcom.
A RRSIG.
DNSKEY ZSK.
DNSKEY RRSIG.
29
Solution: DNSSEC (done right)Digital signatures in the DNS
Live-signed answers
Elliptic curve keys
30
Solution: DNSSEC (done right)cloudflare.net. 300 IN A 104.20.36.89
cloudflare.net. 300 IN A 104.20.37.89
cloudflare.net. 300 IN RRSIG A 13 2 300 20151105181354 20151103161354 35273 cloudflare.net. 1lj7NV/tLbTWAk/HeiU4UvxwTDPG8nXGEn408Rm7HELyL0HE3QRQTMha /Y0yTIAJWvQFKwGm2lg61Gpf9uy7uQ==
ietf.org. 1800 IN A 4.31.198.44
ietf.org. 1800 IN RRSIG A 5 2 1800 20161012164049 20151013154322 40452 ietf.org. DlaOfMqEIkbTBY8Rv8WJf2MqXBzT64sUr+Ms5zEfV4IIdKhiQoQqU8vH Ga+PcZak5DzfXwXuklriXPI7jN5Zqk/UnTsX62on0SQft/YkgAogMdZI U5znPsgkq+gX/BA2AkRpBOEBDiPS8sRgJb4r38kZ05BNLTvlweg3hIcX m1JHfbXuyAE4C6bRmD/h5erxvO6Q2UA2EFWHjcrIAAhmLRqHxeq8uhCJ AZMSJyTuJxB+6z+59v4/QxP+z3NnBdzxcTea1aUVYG/zbqiHkNpgRzrN 708UrrqkUwWDodrOYoHndfYoWqI61ifvBkUref0cn0IKWOolfHMsCjdl y6BdTA==
31
Issues addressedFix zone enumeration with live signing
Fix live signing with ECDSA — in the Go language
Vlad performance improvements
Amplification-neutral
32
ECDSA - Miscellaneous• Randomness breaks ECDSA
• Fixed by RFC 6979
• Patent issues • ECDSA is not supported by Red Hat
• A Riddle Wrapped in an Enigma • Koblitz & Menezes paper on Suite B
• Are the NIST curves safe?33
Elliptic Curve CryptographyBringing it to the mainstream
Nick Sullivan @grittygrease