In this talk I will describe how CloudFlare helped take elliptic curve cryptography from a promising technology with low adoption to core part of the HTTPS revolution.
Two years ago, almost every public key used on the web for HTTPS was an RSA key. In 2013, the zmap team from University of Michigan scanned the entire web and found fewer than twenty non-RSA certificates. Over the next two years, CloudFlare took that number into the millions with the Universal SSL project. We’ll describe how using ECDSA (Elliptic Curve Digital Signature Algorithm) keys instead of RSA keys played a crucial role in enabling this project. With Universal SSL, any website can become HTTPS-enabled for free.
Elliptic curve cryptography is not just useful for HTTPS, there are other protocols for which it provides an advantage over RSA. One of these is DNSSEC, the algorithm that lets administrators digitally sign DNS records for authenticity. DNSSEC been described as difficult deploy and dangerous because of the potential to abuse it in amplification/reflection attacks. In October 2015, CloudFlare launched its automated DNSSEC beta program. We’ll describe some of the tweaks we made to easily scale DNSSEC to millions of zones and how ECDSA keys helped solve some of the protocol’s major issues.
19. ECDSA
• Digital signature algorithm based on elliptic curve crypto
• Widely studied, no sub-exponential discrete logarithm
• Standardized NIST Curves (P256, P384, P521)
• NSA Suite B (Secret and Top Secret)
19
21. ECDSA Advantages
• Smaller keys (256bit EC ~ 3072bit RSA)
• Faster signatures (~800K vs 2M)
• Vlad Krasnov improved to ~375K by using x86_64 asm
• Merged into OpenSSL, Golang
• Saves 300 Quadrillion Cycles/Day (given 100% HTTPS)
21
22. ECDSA Downsides
• Slower signature verification
• Less ubiquitous
• Roots were added in
• Some systems don’t support ECDSA (Android 2, Windows XP)
• Patent encumbrances
• Not quantum-safe: subject to Shor’s algorithm
22
23. Universal SSL
• Free ECDSA certificates for all customers
• HTTPS enabled by default
• Total number of HTTPS sites is
up by over 2 million
• SNI-only so scans undercount
23
26. Cache Poisoning (Kaminsky’s attack)
26
Resolver Authoritative
Server
Q: what is the IP address of cloudflare.com
A: 198.41.213.157
A:6.6.6.6
A:6.6.6.6
A:6.6.6.6
A:6.6.6.6
A:6.6.6.6
A: 6.6.6.6
A: 6.6.6.6
30. Solution: DNSSEC (done right)
Digital signatures in the DNS
Live-signed answers
Elliptic curve keys
30
31. Solution: DNSSEC (done right)
cloudflare.net. 300 IN A 104.20.36.89
cloudflare.net. 300 IN A 104.20.37.89
cloudflare.net. 300 IN RRSIG A 13 2 300 20151105181354 20151103161354 35273
cloudflare.net. 1lj7NV/tLbTWAk/HeiU4UvxwTDPG8nXGEn408Rm7HELyL0HE3QRQTMha /
Y0yTIAJWvQFKwGm2lg61Gpf9uy7uQ==
ietf.org. 1800 IN A 4.31.198.44
ietf.org. 1800 IN RRSIG A 5 2 1800 20161012164049 20151013154322 40452 ietf.org.
DlaOfMqEIkbTBY8Rv8WJf2MqXBzT64sUr+Ms5zEfV4IIdKhiQoQqU8vH Ga+PcZak5DzfXwXuklriXPI7jN5Zqk/
UnTsX62on0SQft/YkgAogMdZI U5znPsgkq+gX/BA2AkRpBOEBDiPS8sRgJb4r38kZ05BNLTvlweg3hIcX
m1JHfbXuyAE4C6bRmD/h5erxvO6Q2UA2EFWHjcrIAAhmLRqHxeq8uhCJ AZMSJyTuJxB+6z+59v4/QxP
+z3NnBdzxcTea1aUVYG/zbqiHkNpgRzrN 708UrrqkUwWDodrOYoHndfYoWqI61ifvBkUref0cn0IKWOolfHMsCjdl
y6BdTA==
31
32. Issues addressed
Fix zone enumeration with live signing
Fix live signing with ECDSA — in the Go language
Vlad performance improvements
Amplification-neutral
32
33. ECDSA - Miscellaneous
• Randomness breaks ECDSA
• Fixed by RFC 6979
• Patent issues
• ECDSA is not supported by Red Hat
• A Riddle Wrapped in an Enigma
• Koblitz & Menezes paper on Suite B
• Are the NIST curves safe?
33