Bringing Elliptic Curve Cryptography into the Mainstream
In this talk I will describe how CloudFlare helped take elliptic curve cryptography from a promising technology with low adoption to core part of the HTTPS revolution. Two years ago, almost every public key used on the web for HTTPS was an RSA key. In 2013, the zmap team from University of Michigan scanned the entire web and found fewer than twenty non-RSA certificates. Over the next two years, CloudFlare took that number into the millions with the Universal SSL project. We’ll describe how using ECDSA (Elliptic Curve Digital Signature Algorithm) keys instead of RSA keys played a crucial role in enabling this project. With Universal SSL, any website can become HTTPS-enabled for free. Elliptic curve cryptography is not just useful for HTTPS, there are other protocols for which it provides an advantage over RSA. One of these is DNSSEC, the algorithm that lets administrators digitally sign DNS records for authenticity. DNSSEC been described as difficult deploy and dangerous because of the potential to abuse it in amplification/reflection attacks. In October 2015, CloudFlare launched its automated DNSSEC beta program. We’ll describe some of the tweaks we made to easily scale DNSSEC to millions of zones and how ECDSA keys helped solve some of the protocol’s major issues.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Bringing Elliptic Curve Cryptography into the Mainstream
Similar to Bringing Elliptic Curve Cryptography into the Mainstream (20)
Recently uploaded
Recently uploaded (20)
Bringing Elliptic Curve Cryptography into the Mainstream
- 1. Elliptic Curve Cryptography Bringing it to the mainstream Stanford Security Lunch November 4, 2015 Nick Sullivan @grittygrease nick@cloudflare.com
- 4. DNS
- 5. HTTP
- 6. HTTPS The “S” stands for TLS
- 9. HTTPS Adoption (2013) • 2,545,693 valid RSA 2048-bit certificates Analysis of the HTTPS Certificate Ecosystem, Durumeric, Kasten, Bailey, Halderman (2013) • Zero valid ECDSA certificates 9
- 12. Goal Enable HTTPS by default for ~2 million free customers 12
- 13. Issue: Scale ~30 Trillion Requests/ Day 13
- 14. What is expensive in TLS? • Private key Operations • Bulk encryption 14
- 15. Bulk Encryption • Basically free with modern Intel processors • AES-GCM on Haswell is ~1 cycle per byte 15
- 16. Private Key Operations • Orders of magnitude slower than symmetric crypto • RSA ~2,000,000 cycles per signature on Haswell • ~500 Quadrillion Cycles/Day 16
- 17. We can do better • Session resumption (~33%) 17
- 18. ECDSA Elliptic Curve Digital Signature Algorithm
- 19. ECDSA • Digital signature algorithm based on elliptic curve crypto • Widely studied, no sub-exponential discrete logarithm • Standardized NIST Curves (P256, P384, P521) • NSA Suite B (Secret and Top Secret) 19
- 20. EQUATIONS!!! 20
- 21. ECDSA Advantages • Smaller keys (256bit EC ~ 3072bit RSA) • Faster signatures (~800K vs 2M) • Vlad Krasnov improved to ~375K by using x86_64 asm • Merged into OpenSSL, Golang • Saves 300 Quadrillion Cycles/Day (given 100% HTTPS) 21
- 22. ECDSA Downsides • Slower signature verification • Less ubiquitous • Roots were added in • Some systems don’t support ECDSA (Android 2, Windows XP) • Patent encumbrances • Not quantum-safe: subject to Shor’s algorithm 22
- 23. Universal SSL • Free ECDSA certificates for all customers • HTTPS enabled by default • Total number of HTTPS sites is up by over 2 million • SNI-only so scans undercount 23
- 26. Cache Poisoning (Kaminsky’s attack) 26 Resolver Authoritative Server Q: what is the IP address of cloudflare.com A: 198.41.213.157 A:6.6.6.6 A:6.6.6.6 A:6.6.6.6 A:6.6.6.6 A:6.6.6.6 A: 6.6.6.6 A: 6.6.6.6
- 27. Man-in-the-middle 27 Resolver Authoritative Server Q: what is the IP address of cloudflare.com A: 198.41.213.157A: 6.6.6.6
- 28. DNSSEC signature verification 28 A example.com. A RRSIG example.com. DNSKEY KSK example.com. DNSKEY KSK . Verisign Authoritative (i.e. CloudFlare) ICANN DS example.com. DS com. Root Key DNSKEY ZSK example.com. DNSKEY RRSIG example.com. DS RRSIG com. DNSKEY KSK com. DNSKEY ZSK com. DNSKEY RRSIG com. A RRSIG . DNSKEY ZSK . DNSKEY RRSIG .
- 29. 29
- 30. Solution: DNSSEC (done right) Digital signatures in the DNS Live-signed answers Elliptic curve keys 30
- 31. Solution: DNSSEC (done right) cloudflare.net. 300 IN A 104.20.36.89 cloudflare.net. 300 IN A 104.20.37.89 cloudflare.net. 300 IN RRSIG A 13 2 300 20151105181354 20151103161354 35273 cloudflare.net. 1lj7NV/tLbTWAk/HeiU4UvxwTDPG8nXGEn408Rm7HELyL0HE3QRQTMha / Y0yTIAJWvQFKwGm2lg61Gpf9uy7uQ== ietf.org. 1800 IN A 4.31.198.44 ietf.org. 1800 IN RRSIG A 5 2 1800 20161012164049 20151013154322 40452 ietf.org. DlaOfMqEIkbTBY8Rv8WJf2MqXBzT64sUr+Ms5zEfV4IIdKhiQoQqU8vH Ga+PcZak5DzfXwXuklriXPI7jN5Zqk/ UnTsX62on0SQft/YkgAogMdZI U5znPsgkq+gX/BA2AkRpBOEBDiPS8sRgJb4r38kZ05BNLTvlweg3hIcX m1JHfbXuyAE4C6bRmD/h5erxvO6Q2UA2EFWHjcrIAAhmLRqHxeq8uhCJ AZMSJyTuJxB+6z+59v4/QxP +z3NnBdzxcTea1aUVYG/zbqiHkNpgRzrN 708UrrqkUwWDodrOYoHndfYoWqI61ifvBkUref0cn0IKWOolfHMsCjdl y6BdTA== 31
- 32. Issues addressed Fix zone enumeration with live signing Fix live signing with ECDSA — in the Go language Vlad performance improvements Amplification-neutral 32
- 33. ECDSA - Miscellaneous • Randomness breaks ECDSA • Fixed by RFC 6979 • Patent issues • ECDSA is not supported by Red Hat • A Riddle Wrapped in an Enigma • Koblitz & Menezes paper on Suite B • Are the NIST curves safe? 33
- 34. Elliptic Curve Cryptography Bringing it to the mainstream Nick Sullivan @grittygrease nick@cloudflare.com