SlideShare a Scribd company logo

Bringing Elliptic Curve Cryptography into the Mainstream

Nick Sullivan, profile picture
Nick Sullivan

Nick Sullivan's presentation on elliptic curve cryptography (ECC) discusses its mainstream adoption for enhancing HTTPS security, highlighting the advantages of ECDSA over traditional RSA signatures, particularly in terms of speed and key size. He emphasizes that while ECDSA saves substantial resources in certificate operations, it faces challenges such as slower verification, lack of support in some systems, and vulnerability to quantum attacks. The talk also covers DNS security improvements through DNSSEC, leveraging ECC for digital signatures to ensure reliable and secure domain name resolutions.

Technology
1 of 34
Downloaded 65 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
Elliptic Curve Cryptography Bringing it to the mainstream Stanford Security Lunch November 4, 2015 Nick Sullivan @grittygrease nick@cloudflare.com
Bringing Elliptic Curve Cryptography into the Mainstream
Bringing Elliptic Curve Cryptography into the Mainstream
DNS
HTTP
HTTPS The “S” stands for TLS
Bringing Elliptic Curve Cryptography into the Mainstream
Bringing Elliptic Curve Cryptography into the Mainstream
HTTPS Adoption (2013) • 2,545,693 valid RSA 2048-bit certificates
 Analysis of the HTTPS Certificate Ecosystem, Durumeric, Kasten, Bailey, Halderman (2013) • Zero valid ECDSA certificates 9
CloudFlare Reverse Proxy 10
11 CACloudFlare CloudFlare Edge DNS CSR TXT? Proof TXT? Proof Certificate Proof
Goal Enable HTTPS by default for ~2 million free customers 12
Issue: Scale ~30 Trillion Requests/ Day 13
What is expensive in TLS? • Private key Operations • Bulk encryption 14
Bulk Encryption • Basically free with modern Intel processors • AES-GCM on Haswell is ~1 cycle per byte 15
Private Key Operations • Orders of magnitude slower than symmetric crypto • RSA ~2,000,000 cycles per signature on Haswell • ~500 Quadrillion Cycles/Day 16
We can do better • Session resumption (~33%) 17
ECDSA Elliptic Curve Digital Signature Algorithm
ECDSA • Digital signature algorithm based on elliptic curve crypto • Widely studied, no sub-exponential discrete logarithm • Standardized NIST Curves (P256, P384, P521) • NSA Suite B (Secret and Top Secret) 19
EQUATIONS!!! 20
ECDSA Advantages • Smaller keys (256bit EC ~ 3072bit RSA) • Faster signatures (~800K vs 2M) • Vlad Krasnov improved to ~375K by using x86_64 asm • Merged into OpenSSL, Golang • Saves 300 Quadrillion Cycles/Day (given 100% HTTPS) 21
ECDSA Downsides • Slower signature verification • Less ubiquitous • Roots were added in • Some systems don’t support ECDSA (Android 2, Windows XP) • Patent encumbrances • Not quantum-safe: subject to Shor’s algorithm 22
Universal SSL • Free ECDSA certificates for all customers • HTTPS enabled by default • Total number of HTTPS sites is 
 up by over 2 million • SNI-only so scans undercount 23
What about DNS? 24
Authoritative Servers 25
Cache Poisoning (Kaminsky’s attack) 26 Resolver Authoritative Server Q: what is the IP address of cloudflare.com A: 198.41.213.157 A:6.6.6.6 A:6.6.6.6 A:6.6.6.6 A:6.6.6.6 A:6.6.6.6 A: 6.6.6.6 A: 6.6.6.6
Man-in-the-middle 27 Resolver Authoritative Server Q: what is the IP address of cloudflare.com A: 198.41.213.157A: 6.6.6.6
DNSSEC signature verification 28 A example.com. A RRSIG example.com. DNSKEY KSK example.com. DNSKEY KSK . Verisign Authoritative (i.e. CloudFlare) ICANN DS example.com. DS com. Root Key DNSKEY ZSK example.com. DNSKEY RRSIG example.com. DS RRSIG com. DNSKEY KSK com. DNSKEY ZSK com. DNSKEY RRSIG com. A RRSIG . DNSKEY ZSK . DNSKEY RRSIG .
29
Solution: DNSSEC (done right) Digital signatures in the DNS Live-signed answers Elliptic curve keys 30
Solution: DNSSEC (done right) cloudflare.net. 300 IN A 104.20.36.89 cloudflare.net. 300 IN A 104.20.37.89 cloudflare.net. 300 IN RRSIG A 13 2 300 20151105181354 20151103161354 35273 cloudflare.net. 1lj7NV/tLbTWAk/HeiU4UvxwTDPG8nXGEn408Rm7HELyL0HE3QRQTMha / Y0yTIAJWvQFKwGm2lg61Gpf9uy7uQ== ietf.org. 1800 IN A 4.31.198.44 ietf.org. 1800 IN RRSIG A 5 2 1800 20161012164049 20151013154322 40452 ietf.org. DlaOfMqEIkbTBY8Rv8WJf2MqXBzT64sUr+Ms5zEfV4IIdKhiQoQqU8vH Ga+PcZak5DzfXwXuklriXPI7jN5Zqk/ UnTsX62on0SQft/YkgAogMdZI U5znPsgkq+gX/BA2AkRpBOEBDiPS8sRgJb4r38kZ05BNLTvlweg3hIcX m1JHfbXuyAE4C6bRmD/h5erxvO6Q2UA2EFWHjcrIAAhmLRqHxeq8uhCJ AZMSJyTuJxB+6z+59v4/QxP +z3NnBdzxcTea1aUVYG/zbqiHkNpgRzrN 708UrrqkUwWDodrOYoHndfYoWqI61ifvBkUref0cn0IKWOolfHMsCjdl y6BdTA== 31
Issues addressed Fix zone enumeration with live signing Fix live signing with ECDSA — in the Go language Vlad performance improvements Amplification-neutral 32
ECDSA - Miscellaneous • Randomness breaks ECDSA • Fixed by RFC 6979 • Patent issues • ECDSA is not supported by Red Hat • A Riddle Wrapped in an Enigma • Koblitz & Menezes paper on Suite B • Are the NIST curves safe? 33
Elliptic Curve Cryptography Bringing it to the mainstream Nick Sullivan @grittygrease nick@cloudflare.com

More Related Content

PDF
What's New in Go Crypto - Gotham Go
Nick Sullivan
 
PDF
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
Nick Sullivan
 
PDF
An analysis of TLS handshake proxying
Nick Sullivan
 
PDF
Scaling Push Messaging for Millions of Devices @Netflix
C4Media
 
PDF
Virus Bulletin 2012
Cloudflare
 
PDF
Heartache and Heartbleed - 31c3
Nick Sullivan
 
PDF
Sullivan randomness-infiltrate 2014
Cloudflare
 
PDF
Sullivan red october-oscon-2014
Cloudflare
 
What's New in Go Crypto - Gotham Go
Nick Sullivan
 
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
Nick Sullivan
 
An analysis of TLS handshake proxying
Nick Sullivan
 
Scaling Push Messaging for Millions of Devices @Netflix
C4Media
 
Virus Bulletin 2012
Cloudflare
 
Heartache and Heartbleed - 31c3
Nick Sullivan
 
Sullivan randomness-infiltrate 2014
Cloudflare
 
Sullivan red october-oscon-2014
Cloudflare
 

What's hot (20)

PDF
Sullivan heartbleed-defcon22 2014
Cloudflare
 
PDF
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
NGINX, Inc.
 
PDF
Sullivan handshake proxying-ieee-sp_2014
Cloudflare
 
PDF
DockerCon Live 2020 - Securing Your Containerized Application with NGINX
Kevin Jones
 
PPTX
The 3 Models in the NGINX Microservices Reference Architecture
NGINX, Inc.
 
PDF
Sullivan white boxcrypto-baythreat-2013
Cloudflare
 
PDF
Running Secure Server Software on Insecure Hardware Without Parachute
Cloudflare
 
PPTX
Botconf ppt
Cloudflare
 
PDF
Bridges and Tunnels: A Drive Through OpenStack Networking
markmcclain
 
PDF
Serverless for the Cloud Native Era with Fission
NATS
 
PDF
GopherCon 2017 - Writing Networking Clients in Go: The Design & Implementati...
wallyqs
 
PPTX
NGINX Plus PLATFORM For Flawless Application Delivery
Ashnikbiz
 
PDF
DEFCON 28: 21 Jump Server: Going Bastionless in the Cloud
Colin Estep
 
PDF
Advanced Crypto Service Provider – cryptography as a service
Smart Coders
 
PDF
Monitoring Highly Dynamic and Distributed Systems with NGINX Amplify
NGINX, Inc.
 
ODP
Certificate based access type in openstack Manila @ openstack paris nov. 2014
Deepak Shetty
 
PPTX
MRA AMA Part 7: The Circuit Breaker Pattern
NGINX, Inc.
 
PDF
Redecentralizing the Web: IPFS and Filecoin
Facultad de Informática UCM
 
PDF
Using NGINX as an Effective and Highly Available Content Cache
Kevin Jones
 
PDF
NATS vs HTTP
Apcera
 
Sullivan heartbleed-defcon22 2014
Cloudflare
 
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
NGINX, Inc.
 
Sullivan handshake proxying-ieee-sp_2014
Cloudflare
 
DockerCon Live 2020 - Securing Your Containerized Application with NGINX
Kevin Jones
 
The 3 Models in the NGINX Microservices Reference Architecture
NGINX, Inc.
 
Sullivan white boxcrypto-baythreat-2013
Cloudflare
 
Running Secure Server Software on Insecure Hardware Without Parachute
Cloudflare
 
Botconf ppt
Cloudflare
 
Bridges and Tunnels: A Drive Through OpenStack Networking
markmcclain
 
Serverless for the Cloud Native Era with Fission
NATS
 
GopherCon 2017 - Writing Networking Clients in Go: The Design & Implementati...
wallyqs
 
NGINX Plus PLATFORM For Flawless Application Delivery
Ashnikbiz
 
DEFCON 28: 21 Jump Server: Going Bastionless in the Cloud
Colin Estep
 
Advanced Crypto Service Provider – cryptography as a service
Smart Coders
 
Monitoring Highly Dynamic and Distributed Systems with NGINX Amplify
NGINX, Inc.
 
Certificate based access type in openstack Manila @ openstack paris nov. 2014
Deepak Shetty
 
MRA AMA Part 7: The Circuit Breaker Pattern
NGINX, Inc.
 
Redecentralizing the Web: IPFS and Filecoin
Facultad de Informática UCM
 
Using NGINX as an Effective and Highly Available Content Cache
Kevin Jones
 
NATS vs HTTP
Apcera
 
Ad

Similar to Bringing Elliptic Curve Cryptography into the Mainstream (20)

PPTX
ION Bucharest - Deploying DNSSEC
Deploy360 Programme (Internet Society)
 
PDF
Signing DNSSEC answers on the fly at the edge: challenges and solutions
APNIC
 
PDF
IoT Secure Bootsrapping : ideas
Jean-Baptiste Trystram
 
PDF
DANE and Application Uses of DNSSEC
Shumon Huque
 
PPT
Dns protocol design attacks and security
Michael Earls
 
PPTX
TLS/SSL - Study of Secured Communications
Nitin Ramesh
 
PPTX
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source
NGINX, Inc.
 
PPTX
State of the Web
CASCouncil
 
PDF
An Introduction to DANE - Securing TLS using DNSSEC
Carlos Martinez Cagnazzo
 
PDF
The Trusted Cloud Transfer Protocol (TCTP)
Mathias Slawik
 
PPTX
SSL overview
Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
PPTX
DNS - MCSE 2019
Milad Es'Haghi
 
PDF
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
Felipe Prado
 
PPT
ieeehs042204d
John Hines
 
PPTX
Using hypervisor and container technology to increase datacenter security pos...
Tim Mackey
 
PPTX
Using hypervisor and container technology to increase datacenter security pos...
Black Duck by Synopsys
 
PDF
Servers.com Company Presentation 2020
Servers.com
 
PDF
Consul and Complex Networks
slackpad
 
PPT
Cryptography in Human computer interaction powerpoint
ramlaabdikarim001
 
PDF
Alternatives and Enhancements to CAs for a Secure Web
CASCouncil
 
ION Bucharest - Deploying DNSSEC
Deploy360 Programme (Internet Society)
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
APNIC
 
IoT Secure Bootsrapping : ideas
Jean-Baptiste Trystram
 
DANE and Application Uses of DNSSEC
Shumon Huque
 
Dns protocol design attacks and security
Michael Earls
 
TLS/SSL - Study of Secured Communications
Nitin Ramesh
 
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source
NGINX, Inc.
 
State of the Web
CASCouncil
 
An Introduction to DANE - Securing TLS using DNSSEC
Carlos Martinez Cagnazzo
 
The Trusted Cloud Transfer Protocol (TCTP)
Mathias Slawik
 
SSL overview
Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
DNS - MCSE 2019
Milad Es'Haghi
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
Felipe Prado
 
ieeehs042204d
John Hines
 
Using hypervisor and container technology to increase datacenter security pos...
Tim Mackey
 
Using hypervisor and container technology to increase datacenter security pos...
Black Duck by Synopsys
 
Servers.com Company Presentation 2020
Servers.com
 
Consul and Complex Networks
slackpad
 
Cryptography in Human computer interaction powerpoint
ramlaabdikarim001
 
Alternatives and Enhancements to CAs for a Secure Web
CASCouncil
 
Ad

Recently uploaded (20)

PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Approach and Philosophy of On baking technology
30anthuong17
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Cloud computing and distributed systems.
kkkkkhan
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Teaching material agriculture food technology
LiaRayya
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 

Bringing Elliptic Curve Cryptography into the Mainstream

  • 1. Elliptic Curve Cryptography Bringing it to the mainstream Stanford Security Lunch November 4, 2015 Nick Sullivan @grittygrease nick@cloudflare.com
  • 4. DNS
  • 9. HTTPS Adoption (2013) • 2,545,693 valid RSA 2048-bit certificates
 Analysis of the HTTPS Certificate Ecosystem, Durumeric, Kasten, Bailey, Halderman (2013) • Zero valid ECDSA certificates 9
  • 12. Goal Enable HTTPS by default for ~2 million free customers 12
  • 13. Issue: Scale ~30 Trillion Requests/ Day 13
  • 14. What is expensive in TLS? • Private key Operations • Bulk encryption 14
  • 15. Bulk Encryption • Basically free with modern Intel processors • AES-GCM on Haswell is ~1 cycle per byte 15
  • 16. Private Key Operations • Orders of magnitude slower than symmetric crypto • RSA ~2,000,000 cycles per signature on Haswell • ~500 Quadrillion Cycles/Day 16
  • 17. We can do better • Session resumption (~33%) 17
  • 18. ECDSA Elliptic Curve Digital Signature Algorithm
  • 19. ECDSA • Digital signature algorithm based on elliptic curve crypto • Widely studied, no sub-exponential discrete logarithm • Standardized NIST Curves (P256, P384, P521) • NSA Suite B (Secret and Top Secret) 19
  • 21. ECDSA Advantages • Smaller keys (256bit EC ~ 3072bit RSA) • Faster signatures (~800K vs 2M) • Vlad Krasnov improved to ~375K by using x86_64 asm • Merged into OpenSSL, Golang • Saves 300 Quadrillion Cycles/Day (given 100% HTTPS) 21
  • 22. ECDSA Downsides • Slower signature verification • Less ubiquitous • Roots were added in • Some systems don’t support ECDSA (Android 2, Windows XP) • Patent encumbrances • Not quantum-safe: subject to Shor’s algorithm 22
  • 23. Universal SSL • Free ECDSA certificates for all customers • HTTPS enabled by default • Total number of HTTPS sites is 
 up by over 2 million • SNI-only so scans undercount 23
  • 26. Cache Poisoning (Kaminsky’s attack) 26 Resolver Authoritative Server Q: what is the IP address of cloudflare.com A: 198.41.213.157 A:6.6.6.6 A:6.6.6.6 A:6.6.6.6 A:6.6.6.6 A:6.6.6.6 A: 6.6.6.6 A: 6.6.6.6
  • 27. Man-in-the-middle 27 Resolver Authoritative Server Q: what is the IP address of cloudflare.com A: 198.41.213.157A: 6.6.6.6
  • 28. DNSSEC signature verification 28 A example.com. A RRSIG example.com. DNSKEY KSK example.com. DNSKEY KSK . Verisign Authoritative (i.e. CloudFlare) ICANN DS example.com. DS com. Root Key DNSKEY ZSK example.com. DNSKEY RRSIG example.com. DS RRSIG com. DNSKEY KSK com. DNSKEY ZSK com. DNSKEY RRSIG com. A RRSIG . DNSKEY ZSK . DNSKEY RRSIG .
  • 29. 29
  • 30. Solution: DNSSEC (done right) Digital signatures in the DNS Live-signed answers Elliptic curve keys 30
  • 31. Solution: DNSSEC (done right) cloudflare.net. 300 IN A 104.20.36.89 cloudflare.net. 300 IN A 104.20.37.89 cloudflare.net. 300 IN RRSIG A 13 2 300 20151105181354 20151103161354 35273 cloudflare.net. 1lj7NV/tLbTWAk/HeiU4UvxwTDPG8nXGEn408Rm7HELyL0HE3QRQTMha / Y0yTIAJWvQFKwGm2lg61Gpf9uy7uQ== ietf.org. 1800 IN A 4.31.198.44 ietf.org. 1800 IN RRSIG A 5 2 1800 20161012164049 20151013154322 40452 ietf.org. DlaOfMqEIkbTBY8Rv8WJf2MqXBzT64sUr+Ms5zEfV4IIdKhiQoQqU8vH Ga+PcZak5DzfXwXuklriXPI7jN5Zqk/ UnTsX62on0SQft/YkgAogMdZI U5znPsgkq+gX/BA2AkRpBOEBDiPS8sRgJb4r38kZ05BNLTvlweg3hIcX m1JHfbXuyAE4C6bRmD/h5erxvO6Q2UA2EFWHjcrIAAhmLRqHxeq8uhCJ AZMSJyTuJxB+6z+59v4/QxP +z3NnBdzxcTea1aUVYG/zbqiHkNpgRzrN 708UrrqkUwWDodrOYoHndfYoWqI61ifvBkUref0cn0IKWOolfHMsCjdl y6BdTA== 31
  • 32. Issues addressed Fix zone enumeration with live signing Fix live signing with ECDSA — in the Go language Vlad performance improvements Amplification-neutral 32
  • 33. ECDSA - Miscellaneous • Randomness breaks ECDSA • Fixed by RFC 6979 • Patent issues • ECDSA is not supported by Red Hat • A Riddle Wrapped in an Enigma • Koblitz & Menezes paper on Suite B • Are the NIST curves safe? 33
  • 34. Elliptic Curve Cryptography Bringing it to the mainstream Nick Sullivan @grittygrease nick@cloudflare.com