Elliptic Curve CryptographyBringing it to the mainstream

Stanford Security Lunch November 4, 2015

Nick Sullivan @grittygrease

nick@cloudflare.com

DNS

HTTP

HTTPSThe “S” stands for TLS

HTTPS Adoption (2013)• 2,545,693 valid RSA 2048-bit certificates

Analysis of the HTTPS Certificate Ecosystem, Durumeric, Kasten, Bailey, Halderman (2013)

• Zero valid ECDSA certificates

9

CloudFlare Reverse Proxy

10

11

CACloudFlare

CloudFlare Edge DNS

CSR

TXT?

Proof

TXT?

Proof

Certificate

Proof

Goal

Enable HTTPS by default for ~2 million free

customers12

Issue: Scale

~30 Trillion Requests/Day

13

What is expensive in TLS?• Private key Operations

• Bulk encryption

14

Bulk Encryption• Basically free with modern Intel processors

• AES-GCM on Haswell is ~1 cycle per byte

15

Private Key Operations• Orders of magnitude slower than symmetric crypto

• RSA ~2,000,000 cycles per signature on Haswell

• ~500 Quadrillion Cycles/Day

16

We can do better• Session resumption (~33%)

17

ECDSAElliptic Curve Digital Signature Algorithm

ECDSA• Digital signature algorithm based on elliptic curve crypto

• Widely studied, no sub-exponential discrete logarithm

• Standardized NIST Curves (P256, P384, P521)

• NSA Suite B (Secret and Top Secret)

19

EQUATIONS!!!

20

ECDSA Advantages• Smaller keys (256bit EC ~ 3072bit RSA)

• Faster signatures (~800K vs 2M)

• Vlad Krasnov improved to ~375K by using x86_64 asm

• Merged into OpenSSL, Golang

• Saves 300 Quadrillion Cycles/Day (given 100% HTTPS)

21

ECDSA Downsides• Slower signature verification

• Less ubiquitous

• Roots were added in

• Some systems don’t support ECDSA (Android 2, Windows XP)

• Patent encumbrances

• Not quantum-safe: subject to Shor’s algorithm

22

Universal SSL• Free ECDSA certificates for all customers

• HTTPS enabled by default

• Total number of HTTPS sites is up by over 2 million

• SNI-only so scans undercount

23

What about DNS?

24

Authoritative Servers

25

Cache Poisoning (Kaminsky’s attack)

26

Resolver AuthoritativeServer

Q: what is the IP address of cloudflare.com

A: 198.41.213.157

A: 6

.6.6

.6

A: 6

.6.6

.6 A: 6.6.6.6

A: 6.6.6.6A: 6.6.6.6

A: 6.6.6.6A: 6.6.6.6

Man-in-the-middle

27

ResolverAuthoritative

Server

Q: what is the IP address of cloudflare.com

A: 198.41.213.157A: 6.6.6.6

DNSSEC signature verification

28

Aexample.com. A RRSIG

example.com.DNSKEY KSKexample.com.

DNSKEY KSK .

Verisign

Authoritative(i.e. CloudFlare)

ICANN

DSexample.com.

DScom.

Root Key

DNSKEY ZSKexample.com.

DNSKEY RRSIGexample.com.

DS RRSIGcom.

DNSKEY KSKcom.

DNSKEY ZSKcom.

DNSKEY RRSIGcom.

A RRSIG.

DNSKEY ZSK.

DNSKEY RRSIG.

29

Solution: DNSSEC (done right)Digital signatures in the DNS

Live-signed answers

Elliptic curve keys

30

Solution: DNSSEC (done right)cloudflare.net. 300 IN A 104.20.36.89

cloudflare.net. 300 IN A 104.20.37.89

cloudflare.net. 300 IN RRSIG A 13 2 300 20151105181354 20151103161354 35273 cloudflare.net. 1lj7NV/tLbTWAk/HeiU4UvxwTDPG8nXGEn408Rm7HELyL0HE3QRQTMha /Y0yTIAJWvQFKwGm2lg61Gpf9uy7uQ==

ietf.org. 1800 IN A 4.31.198.44

ietf.org. 1800 IN RRSIG A 5 2 1800 20161012164049 20151013154322 40452 ietf.org. DlaOfMqEIkbTBY8Rv8WJf2MqXBzT64sUr+Ms5zEfV4IIdKhiQoQqU8vH Ga+PcZak5DzfXwXuklriXPI7jN5Zqk/UnTsX62on0SQft/YkgAogMdZI U5znPsgkq+gX/BA2AkRpBOEBDiPS8sRgJb4r38kZ05BNLTvlweg3hIcX m1JHfbXuyAE4C6bRmD/h5erxvO6Q2UA2EFWHjcrIAAhmLRqHxeq8uhCJ AZMSJyTuJxB+6z+59v4/QxP+z3NnBdzxcTea1aUVYG/zbqiHkNpgRzrN 708UrrqkUwWDodrOYoHndfYoWqI61ifvBkUref0cn0IKWOolfHMsCjdl y6BdTA==

31

Issues addressedFix zone enumeration with live signing

Fix live signing with ECDSA — in the Go language

Vlad performance improvements

Amplification-neutral

32

ECDSA - Miscellaneous• Randomness breaks ECDSA

• Fixed by RFC 6979

• Patent issues • ECDSA is not supported by Red Hat

• A Riddle Wrapped in an Enigma • Koblitz & Menezes paper on Suite B

• Are the NIST curves safe?33

Elliptic Curve CryptographyBringing it to the mainstream

Nick Sullivan @grittygrease

nick@cloudflare.com