making the case for elliptic curves in dnssec
play

Making the Case for Elliptic Curves in DNSSEC an analysis of the - PowerPoint PPT Presentation

Dec 26, 2022 •233 likes •408 views

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based on current DNSSEC deployments in .com, .net and .org Introduction DNSSEC deployment has taken off, but there are still operational issues

  1. Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based on current DNSSEC deployments in .com, .net and .org

  2. Introduction • DNSSEC deployment has taken off, but there are still operational issues • Fragmentation • Amplification • Complex key management • Root cause of many of these problems: use of RSA • ECDSA standardised in RFC 6605 (2012), but still sees very little use (but is discussed a lot!)

  3. Fragmentation • Well known problem; up to 10% of resolvers may not be able to receive fragmented responses* • Solutions available: • Configure minimal responses • Better fallback behaviour in resolver software • Stricter phrasing of RFC 6891 (EDNS0) *Van den Broek, J., Van Rijswijk-Deij, R., Pras, A., Sperotto, A., “DNSSEC Meets Real World: Dealing with Unreachability Caused by Fragmentation”, IEEE Communications Magazine, volume 52, issue 4 (2014).

  4. Fragmentation • Setting minimal responses pays off: • But fragmentation still occurs!

  5. Amplification • DNSSEC is a potent amplifier* without DNSSEC combined 30% .com .net 25% .org percentage of domains with DNSSEC .uk .se 20% .nl 15% theoretical maximum amplification of regular DNS 10% 5% 0% 0 10 20 30 40 50 60 70 80 Amplification factor [bin=0.1] * Van Rijswijk-Deij, R., Sperotto, A., & Pras, A. (2014). DNSSEC and its potential for DDoS attacks. In Proceedings of ACM IMC 2014. Vancouver, BC, Canada: ACM Press

  6. Amplification • While ANY could be suppressed, DNSKEY cannot! com 14% net org 12% theor. maximum uk amplification percentage of domains of regular DNS se 10% nl 8% 6% 4% 2% 0% 0 10 20 30 40 50 Amplification factor [bin=0.1]

  7. Root cause: RSA • RSA keys are large • 1024-bit —> 128 byte signatures, ±132 bytes DNSKEY records • 2048-bit —> 256 byte signatures, ±260 bytes DNSKEY records • Also: striking a balance between signature size and key strength means RSA prevents a switch to simpler key management mechanisms* *don’t have time to explain in detail, see paper

  8. ECC to the rescue • ECC has much smaller keys and signatures with equivalent or better key strength • ECC with 256-bit group ≈ RSA 3072-bit • ECDSA P-256 and P-384 are standardised for use in DNSSEC in RFC 6605 (2012) • Used very little in practice, 99.99% of .com, .net and .org use RSA • But there is a lot of buzz around it (CloudFlare!) • EdDSA based schemes have draft RFCs (Ond ř ej Sur ý )

  9. Measuring ECC impact • We performed a measurement study to quantify the impact of switching to ECC on fragmentation and amplification • Study looks at all signed .com, .net and .org domains • Studies ECC scenarios: ecdsa384csk ecdsa256csk eddsasplit ecdsa384 ecdsa256 eddsacsk implementation choice ECDSA vs. EdDSA ECDSA ECDSA ECDSA ECDSA EdDSA EdDSA Curve P-384 P-256 P-384 P-256 Ed25519 Ed25519 KSK/ZSK vs. CSK KSK/ZSK KSK/ZSK CSK CSK KSK/ZSK CSK most conservative most beneficial ← − − − − − − − −− − − − − − − − → fi fi fi fi

  10. Impact on fragmentation • DNSKEY response sizes dramatically reduced: 100% original ecdsa384 98% percentage of domains ecdsa256 ecdsa256csk 96% eddsacsk 94% IPv6 minimum MTU Ethernet MTU (1280 bytes) (1500 bytes) 92% classic DNS 90% 256 512 1024 2048 4096 response size [bytes, log scale]

  11. Impact on amplification • ANY amplification dampened significantly: 10% current situation ecdsa256 8% percentage of domains ecdsa256csk eddsacsk 6% theoretical maximum ampli fi cation of regular DNS 4% 2% 0% 0 10 20 30 40 50 60 70 80 ampli fi cation factor [bin=0.1]

  12. Impact on amplification • DNSKEY amplification practically solved: 45% original theoretical 40% maximum ampli fi cation ecdsa384 of regular DNS 35% percentage of domains ecdsa256 30% ecdsa256csk eddsacsk 25% 20% 15% 10% 5% 0% 0 5 10 15 20 25 30 35 ampli fi cation factor [bin=0.1]

  13. Back to 512-byte DNS? • A and AAAA responses fit in classic DNS! 100% 80% percentage of domains 60% 40% 20% A queries AAAA queries 0% 128 192 256 320 384 448 512 response size [ecdsa256 with minimal responses]

  14. Conclusions • Switching to ECC is highly beneficial and tackles major issues in DNSSEC • Combined with simpler key management it could even bring “classic” 512-byte DNS back into scope • Impact on resolvers is uncertain! ECC validation speeds are up to an order of magnitude slower than RSA • Improvements are being made (e.g. OpenSSL) • We are working on quantifying the impact of this

Recommend

New Curves in DNSSEC Ond ej Sur, CZ.NIC SafeCurves(.cr.yp.to) Work by Daniel J. Bernstein

New Curves in DNSSEC Ond ej Sur, CZ.NIC SafeCurves(.cr.yp.to) Work by Daniel J. Bernstein

New Curves in DNSSEC Ond ej Sur, CZ.NIC SafeCurves(.cr.yp.to) Work by Daniel J. Bernstein and Tanja Lange Difference between security of: Elliptic-Curve Cryptography (ECC) Elliptic-Curve Discrete-Logarithm Problem (ECDLP)

384 views • 6 slides
Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA MathFest Boulder, Colorado August 2003 http://www.math.mcgill.ca/darmon /slides/slides.html Elliptic Curves Definition : An elliptic curve over the

494 views • 26 slides
Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Elliptic curves over F q Introduction History length of ellipses why Elliptic curves? Fields Weierstra Equations Singular points The Discriminant E LLIPTIC CURVES OVER FINITE FIELDS Elliptic curves / F 2 Elliptic curves / F 3 The sum of

660 views • 32 slides
Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law hlaw@iml.univ-mrs.fr Institute de Math ematiques de

662 views • 41 slides
Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Well-known forms of elliptic curves Toric forms of elliptic curves Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves

478 views • 46 slides
Elliptical Curves in DNSSEC Dmitry Kohmanyuk Hostmaster Ltd #EEDNSUA 2016 Kyiv, Ukraine

Elliptical Curves in DNSSEC Dmitry Kohmanyuk Hostmaster Ltd #EEDNSUA 2016 Kyiv, Ukraine

Elliptical Curves in DNSSEC Dmitry Kohmanyuk Hostmaster Ltd #EEDNSUA 2016 Kyiv, Ukraine Elliptic Curve Cryptography (ECC) y^2 = x^3 + ax + b http://en.wikipedia.org/wiki/Elliptic_curve

151 views • 13 slides
Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo Questions? October 19 at ECC 2010 Lowest (known) conductor elliptic curves of ranks 0,1,2,3,4 Abstract Elliptic Curves in Sage

628 views • 14 slides
Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex

Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex

Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex tori E a , b : y 2 x 3 ` ax ` b , 4 a 3 ` 27 b 2 0 4 a 3 j p E a , b q 1728 4 a 3 ` 27 b 2 Theorem. The map z r p z q : 1 2 1 p

646 views • 9 slides
Amicable pairs for elliptic curves Katherine E. Stange SFU / PIMS-UBC . joint work with .

Amicable pairs for elliptic curves Katherine E. Stange SFU / PIMS-UBC . joint work with .

Motivations Definitions and growth rates The CM case Aliquot cycles The j = 0 case Final remarks Amicable pairs for elliptic curves Katherine E. Stange SFU / PIMS-UBC . joint work with . Joseph H. Silverman Brown University / Microsoft

658 views • 41 slides
Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft Research 15 / 09 / 2011 (Nancy) 2 / 66 Outline 1 Isogenies on elliptic curves 2 Endomorphisms 3 Supersingular elliptic curves 4 Abelian varieties

1.84k views • 79 slides
The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. -Pollard and CUDA. Conclusions The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards algorithm for ECDLP Alberto

1.52k views • 103 slides
Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation Reduced customer confidence in NIST-standardized curves (FIPS 186-3) Industry moving to Perfect Forward Secrecy (PFS) ciphersuites (e.g. ECDHE)

306 views • 11 slides
Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration

Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration

Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration with Adrian Barquero-Sanchez, Lindsay Cadwallader, Olivia Cannon, Riad Masri Tyler Genao Faltings Heights of CM Elliptic Curves Elliptic Curves

571 views • 41 slides
Elliptic Curves II Reinier Br oker Fields Institute & University of Calgary Summer School

Elliptic Curves II Reinier Br oker Fields Institute & University of Calgary Summer School

Elliptic Curves II Reinier Br oker Fields Institute & University of Calgary Summer School before ECC September 2006 Elliptic curves An elliptic curve E over a field K is given by a Weierstra equation Y 2 + h ( X ) Y = f ( X ) with h, f

416 views • 13 slides
The symplectic type of congruences between elliptic curves John Cremona University of Warwick

The symplectic type of congruences between elliptic curves John Cremona University of Warwick

The symplectic type of congruences between elliptic curves John Cremona University of Warwick joint work with Nuno Freitas (Warwick) AGC 2 T Luminy, 10 June 2019 Overview 1. Elliptic curves, mod p Galois representations, Weil pairing. 2.

954 views • 70 slides
Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j

Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j

Elliptic curves over F q F. Pappalardi Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j -invariant Research School: Algebraic curves over finite fields Points of finite order

581 views • 29 slides
Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves

Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves

Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves C. Negre and J.M. Robert april 8, 2015 1 / 39 Outline Overview of elliptic curve cryptography 1 Implementation of F 2 m arithmetic 2 Elliptic

781 views • 75 slides
Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a nonsingular plane cu- Theorem (Mordell). The group E ( Q ) of rational points on an bic curve with a rational point (possibly at elliptic curve is a

402 views • 7 slides
Q ( 5) Elliptic Curves over Q ( 5) Stein William Stein, University of Washington This is

Q ( 5) Elliptic Curves over Q ( 5) Stein William Stein, University of Washington This is

Curves Over Q ( 5) Elliptic Curves over Q ( 5) Stein William Stein, University of Washington This is part of the NSF-funded AIM FRG project on Databases of L -functions. This talk had much valuable input from Noam Elkies, John Voight,

567 views • 40 slides
Faster formulas for elliptic curves Hseyin H sl hisil.huseyin@gmail.com

Faster formulas for elliptic curves Hseyin H sl hisil.huseyin@gmail.com

Faster formulas for elliptic curves Hseyin H sl hisil.huseyin@gmail.com www.huseyinhisil.net ECC2010, Redmond Hseyin H sl () October 19, 2010 1 / 36 Faster formulas for elliptic curves (A roadmap for formula-hunters)

825 views • 55 slides
Stein Elliptic Curves over Q ( 5) William Stein, University of Washington (This is part of

Stein Elliptic Curves over Q ( 5) William Stein, University of Washington (This is part of

Curves Over Q ( 5) Stein Elliptic Curves over Q ( 5) William Stein, University of Washington (This is part of the NSF-funded AIM FRG project on Databases of L -functions) February 2011 Curves Over Q ( 5) Stein 1. Finding

536 views • 34 slides
Elliptic gamma functions, gerbes and triptic curves Giovanni Felder, ETH Zurich Paris, 18

Elliptic gamma functions, gerbes and triptic curves Giovanni Felder, ETH Zurich Paris, 18

Elliptic gamma functions, gerbes and triptic curves Giovanni Felder, ETH Zurich Paris, 18 January 2007 1 Table of contents 0. Introduction 1. Two periods: Jacobis infinite products, elliptic curves, SL 2 ( Z ) 2. Three periods:

510 views • 18 slides
On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the discrete logarithm problem in elliptic curves p.1/37 Some history At ECC 2004 in Bochum, Pierrick Gaudry presented an index calculus algorithm

897 views • 67 slides
Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on

Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on

Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on Elliptic and Hyperelliptic Curve Cryptography 16 September 2008 What is an elliptic curve? (1) An elliptic curve E over a field k in Weierstra

298 views • 25 slides

More recommend