Re: [TLS] TLS Client Puzzles
Watson Ladd <watsonbladd@gmail.com> Tue, 07 July 2015 03:16 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 408001A88F9 for <tls@ietfa.amsl.com>; Mon, 6 Jul 2015 20:16:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xPIAyqH8i6QA for <tls@ietfa.amsl.com>; Mon, 6 Jul 2015 20:16:05 -0700 (PDT)
Received: from mail-wi0-x22d.google.com (mail-wi0-x22d.google.com [IPv6:2a00:1450:400c:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4904C1A87F2 for <tls@ietf.org>; Mon, 6 Jul 2015 20:16:05 -0700 (PDT)
Received: by wifm2 with SMTP id m2so46375676wif.1 for <tls@ietf.org>; Mon, 06 Jul 2015 20:16:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=sFhFqrRTyW5VnRGnDyM9ziUIrNHX02hxO0yoQtzk3S8=; b=RW4ddNhODkO0f6rmej/cqK5TO3dZtw4fTX7nnO6DHcjGDPVyiVTfSmLH9BN1RSSilr ZT5fVVNMNBiEOI7CpkbaoKwZVZ+t9gME6DBItx8FG1ljVgCcdGzPwBZnn8b0O8HSYYiZ 8tonDJRtNZkKCtakiXyu2wf6F9ljqj0yejAUI4SjrJwUUqBoU9pcye1N7iMJHHPX565a OwJNYeGK6v7UFAa52afZ3wVTz2yuZRkkq1OnwTlFPzwibfV9uZokKzYsl5rFh9U3fDWq BSISJxvKOf/PmxCVwEj1YxpNKiCnskvx2OeoXJY3QknS3oYrnd1biTu07F0Bw1iqVWNn hzEg==
MIME-Version: 1.0
X-Received: by 10.180.92.162 with SMTP id cn2mr58194716wib.26.1436238963974; Mon, 06 Jul 2015 20:16:03 -0700 (PDT)
Received: by 10.194.20.97 with HTTP; Mon, 6 Jul 2015 20:16:03 -0700 (PDT)
In-Reply-To: <CAKC-DJgcaPmB9svO7GYZvurDprGPYNcWR=iAHGi21ZrcmaC4gg@mail.gmail.com>
References: <CAKC-DJjfq_Lw6ovX=sVFt3=4q_4CYo_N79PZFx+LrGj7DbLK+w@mail.gmail.com> <CAHOTMVKYS75xqeVsHmmuxRFMRqgAVJ_U-1c825LMn8+h+QmOdA@mail.gmail.com> <CAKC-DJgcaPmB9svO7GYZvurDprGPYNcWR=iAHGi21ZrcmaC4gg@mail.gmail.com>
Date: Mon, 06 Jul 2015 20:16:03 -0700
Message-ID: <CACsn0c=NFUCCSUL=03Uf6+rQHgUEwxxsqfOuc2a3HSoFsu3MWg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Erik Nygren <erik+ietf@nygren.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/xq5aAl2DobRISHxcc8TbtdxnCug>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS Client Puzzles
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2015 03:16:07 -0000
On Mon, Jul 6, 2015 at 7:39 PM, Erik Nygren <erik+ietf@nygren.org> wrote: > Sadly, even the ECDSA schemes and ECDHE key exchange still require the > server > to do significant work without the client needing to do any work. For > example on a > sample modern processor (per core): > > - RSA 2048 signs = 1,070 per second > - ECDSA P-256 signs = 10,515 per second > - ECDHE P-256 ops = 6,070 per second > - SHA-256 of 64 byte blocks = 2,136,484 per second These numbers are far below what faster cryptography can deliver: I have nearly a million gls254 computations per second, and 50,000 key agreements per second on a kummer surface. Changing TLS to not require online signing would realize this degree of performance. At these rates you saturate gigabit ethernet connections, which puzzles will not help with. In fact, they will make the problem worse. > > So even if you can ditch RSA signatures and do one ECDSA signature > and one ECDHE op for key exchange, you're doing 3848 per core (so 3.8x over > RSA > which is a big boost, but not orders of magnitude of improvement). > This helps a bunch, but there's no need for a client to do any work to get > you to do that work. > > With a client puzzle and when under attack, you do some small number of > SHA-256 ops > and then the client will have to do some amount of work of your choosing. > For example, giving the client ~500 SHA-256 rounds to do before you do an > ECDSA > signature will put the server at-parity with the client with respect to > amount of crypto work. > > I'm all for simple solutions here, which is part of why anything here would > ideally > share as much in common with what's needed for DTLS cookies as well as use > crypto routines already in-use in TLS as much as possible... What about improving performance? That avoids any protocol changes, and brings about the benefits you seem to want. > > Erik > > > > On Mon, Jul 6, 2015 at 9:51 PM, Tony Arcieri <bascule@gmail.com> wrote: >> >> On Thu, Jul 2, 2015 at 2:40 PM, Erik Nygren <erik+ietf@nygren.org> wrote: >>> >>> Following a discussion last year in Denver, I've written up a proposal >>> for a TLS Client Puzzles extension. >> >> >> I'm sorry, but I think this is the wrong approach. >> >> I assume you're trying to solve the asymmetrical computation requirements >> of RSA, a.k.a. the "THC DoS attack" >> >> If you're using RSA for key exchange, don't. It's very broken in more ways >> than DoS. >> If you're using RSA for signatures, it should be deprecated and phased >> out. >> >> Trying to solve the latter problem by complecting TLS is likewise >> something I oppose. >> >> Moving to ECC-based signatures (ECDSA or EdDSA or >> CFRG-yet-to-be-standardized-signatures) would obviate this problem without >> complecting the TLS protocol. ECC punts the computational burden to the >> client, elegantly solving this problem by using the algorithms we want to >> move to anyway. >> >> Complexity is the enemy of security. >> >> I prefer simplicity. To solve this same problem, I would prefer RSA >> diediedie. I know that's a stretch, but I would prefer TLS gravitate towards >> simple solutions than adding complex band-aids. >> >> -- >> Tony Arcieri > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- "Man is born free, but everywhere he is in chains". --Rousseau.
- [TLS] TLS Client Puzzles Erik Nygren
- Re: [TLS] TLS Client Puzzles Yoav Nir
- Re: [TLS] TLS Client Puzzles Erik Nygren
- Re: [TLS] TLS Client Puzzles Douglas Stebila
- Re: [TLS] TLS Client Puzzles Jeffrey Walton
- Re: [TLS] TLS Client Puzzles Tony Arcieri
- Re: [TLS] TLS Client Puzzles Erik Nygren
- Re: [TLS] TLS Client Puzzles Watson Ladd
- Re: [TLS] TLS Client Puzzles Brian Sniffen
- Re: [TLS] TLS Client Puzzles Watson Ladd
- Re: [TLS] TLS Client Puzzles Brian Sniffen
- Re: [TLS] TLS Client Puzzles Watson Ladd
- Re: [TLS] TLS Client Puzzles Dave Garrett
- Re: [TLS] TLS Client Puzzles Brian Sniffen
- Re: [TLS] TLS Client Puzzles Martin Thomson
- Re: [TLS] TLS Client Puzzles Jeffrey Walton
- Re: [TLS] TLS Client Puzzles Martin Thomson