bringing elliptic curve cryptography into the mainstream
TRANSCRIPT
![Page 1: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/1.jpg)
Elliptic Curve CryptographyBringing it to the mainstream
Stanford Security Lunch November 4, 2015
Nick Sullivan @grittygrease
![Page 2: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/2.jpg)
![Page 3: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/3.jpg)
![Page 4: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/4.jpg)
DNS
![Page 5: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/5.jpg)
HTTP
![Page 6: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/6.jpg)
HTTPSThe “S” stands for TLS
![Page 7: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/7.jpg)
![Page 8: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/8.jpg)
![Page 9: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/9.jpg)
HTTPS Adoption (2013)• 2,545,693 valid RSA 2048-bit certificates
Analysis of the HTTPS Certificate Ecosystem, Durumeric, Kasten, Bailey, Halderman (2013)
• Zero valid ECDSA certificates
9
![Page 10: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/10.jpg)
CloudFlare Reverse Proxy
10
![Page 11: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/11.jpg)
11
CACloudFlare
CloudFlare Edge DNS
CSR
TXT?
Proof
TXT?
Proof
Certificate
Proof
![Page 12: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/12.jpg)
Goal
Enable HTTPS by default for ~2 million free
customers12
![Page 13: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/13.jpg)
Issue: Scale
~30 Trillion Requests/Day
13
![Page 14: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/14.jpg)
What is expensive in TLS?• Private key Operations
• Bulk encryption
14
![Page 15: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/15.jpg)
Bulk Encryption• Basically free with modern Intel processors
• AES-GCM on Haswell is ~1 cycle per byte
15
![Page 16: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/16.jpg)
Private Key Operations• Orders of magnitude slower than symmetric crypto
• RSA ~2,000,000 cycles per signature on Haswell
• ~500 Quadrillion Cycles/Day
16
![Page 17: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/17.jpg)
We can do better• Session resumption (~33%)
17
![Page 18: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/18.jpg)
ECDSAElliptic Curve Digital Signature Algorithm
![Page 19: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/19.jpg)
ECDSA• Digital signature algorithm based on elliptic curve crypto
• Widely studied, no sub-exponential discrete logarithm
• Standardized NIST Curves (P256, P384, P521)
• NSA Suite B (Secret and Top Secret)
19
![Page 20: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/20.jpg)
EQUATIONS!!!
20
![Page 21: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/21.jpg)
ECDSA Advantages• Smaller keys (256bit EC ~ 3072bit RSA)
• Faster signatures (~800K vs 2M)
• Vlad Krasnov improved to ~375K by using x86_64 asm
• Merged into OpenSSL, Golang
• Saves 300 Quadrillion Cycles/Day (given 100% HTTPS)
21
![Page 22: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/22.jpg)
ECDSA Downsides• Slower signature verification
• Less ubiquitous
• Roots were added in
• Some systems don’t support ECDSA (Android 2, Windows XP)
• Patent encumbrances
• Not quantum-safe: subject to Shor’s algorithm
22
![Page 23: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/23.jpg)
Universal SSL• Free ECDSA certificates for all customers
• HTTPS enabled by default
• Total number of HTTPS sites is up by over 2 million
• SNI-only so scans undercount
23
![Page 24: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/24.jpg)
What about DNS?
24
![Page 25: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/25.jpg)
Authoritative Servers
25
![Page 26: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/26.jpg)
Cache Poisoning (Kaminsky’s attack)
26
Resolver AuthoritativeServer
Q: what is the IP address of cloudflare.com
A: 198.41.213.157
A: 6
.6.6
.6
A: 6
.6.6
.6 A: 6.6.6.6
A: 6.6.6.6A: 6.6.6.6
A: 6.6.6.6A: 6.6.6.6
![Page 27: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/27.jpg)
Man-in-the-middle
27
ResolverAuthoritative
Server
Q: what is the IP address of cloudflare.com
A: 198.41.213.157A: 6.6.6.6
![Page 28: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/28.jpg)
DNSSEC signature verification
28
Aexample.com. A RRSIG
example.com.DNSKEY KSKexample.com.
DNSKEY KSK .
Verisign
Authoritative(i.e. CloudFlare)
ICANN
DSexample.com.
DScom.
Root Key
DNSKEY ZSKexample.com.
DNSKEY RRSIGexample.com.
DS RRSIGcom.
DNSKEY KSKcom.
DNSKEY ZSKcom.
DNSKEY RRSIGcom.
A RRSIG.
DNSKEY ZSK.
DNSKEY RRSIG.
![Page 29: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/29.jpg)
29
![Page 30: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/30.jpg)
Solution: DNSSEC (done right)Digital signatures in the DNS
Live-signed answers
Elliptic curve keys
30
![Page 31: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/31.jpg)
Solution: DNSSEC (done right)cloudflare.net. 300 IN A 104.20.36.89
cloudflare.net. 300 IN A 104.20.37.89
cloudflare.net. 300 IN RRSIG A 13 2 300 20151105181354 20151103161354 35273 cloudflare.net. 1lj7NV/tLbTWAk/HeiU4UvxwTDPG8nXGEn408Rm7HELyL0HE3QRQTMha /Y0yTIAJWvQFKwGm2lg61Gpf9uy7uQ==
ietf.org. 1800 IN A 4.31.198.44
ietf.org. 1800 IN RRSIG A 5 2 1800 20161012164049 20151013154322 40452 ietf.org. DlaOfMqEIkbTBY8Rv8WJf2MqXBzT64sUr+Ms5zEfV4IIdKhiQoQqU8vH Ga+PcZak5DzfXwXuklriXPI7jN5Zqk/UnTsX62on0SQft/YkgAogMdZI U5znPsgkq+gX/BA2AkRpBOEBDiPS8sRgJb4r38kZ05BNLTvlweg3hIcX m1JHfbXuyAE4C6bRmD/h5erxvO6Q2UA2EFWHjcrIAAhmLRqHxeq8uhCJ AZMSJyTuJxB+6z+59v4/QxP+z3NnBdzxcTea1aUVYG/zbqiHkNpgRzrN 708UrrqkUwWDodrOYoHndfYoWqI61ifvBkUref0cn0IKWOolfHMsCjdl y6BdTA==
31
![Page 32: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/32.jpg)
Issues addressedFix zone enumeration with live signing
Fix live signing with ECDSA — in the Go language
Vlad performance improvements
Amplification-neutral
32
![Page 33: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/33.jpg)
ECDSA - Miscellaneous• Randomness breaks ECDSA
• Fixed by RFC 6979
• Patent issues • ECDSA is not supported by Red Hat
• A Riddle Wrapped in an Enigma • Koblitz & Menezes paper on Suite B
• Are the NIST curves safe?33
![Page 34: Bringing Elliptic Curve Cryptography into the Mainstream](https://reader031.vdocuments.mx/reader031/viewer/2022022203/5872e88c1a28abfa548b685d/html5/thumbnails/34.jpg)
Elliptic Curve CryptographyBringing it to the mainstream
Nick Sullivan @grittygrease