ecdsa

CloudFront 宣佈支援 ECDSA 的 Certificate

Amazon CloudFront 宣佈支援 ECDSA 的 certificate：「Amazon CloudFront now supports ECDSA certificates for HTTPS connections to viewers」。

用主要是讓 certificate 更小，讓 HTTPS 建立時的過程更快 (包括了傳輸的速度與計算的速度)：

As a result, conducting TLS handshakes with ECDSA certificates requires less networking and computing resources making them a good option for IoT devices that have limited storage and processing capabilities.

很久以前好像有看到資料說 256 bits 的 EC 運算量跟 768～1024 bits 的 RSA 差不多，但一時間找不到資料...

目前 CloudFront 只支援 NIST P-256 (secp256r1，或稱作 prime256v1)：

Starting today, you can use Elliptic Curve Digital Signature Algorithm (ECDSA) P256 certificates to negotiate HTTPS connections between your viewers and Amazon CloudFront.

但 NIST P-256 一直為人詬病，在「SafeCurves: choosing safe curves for elliptic-curve cryptography」這邊可以看到 NIST 宣稱的效率設計實際上都不是真的：

Subsequent research (and to some extent previous research) showed that essentially all of these efficiency-related decisions were suboptimal, that many of them actively damaged efficiency, and that some of them were bad for security.

但目前標準是往 NIST P-256、NIST P-384 與 NIST P-521 靠攏 (主要是受到 CA/Browser Forum 的限制)，要其他 curve 的 certificate 也沒辦法生，目前可能還是繼續觀望...

GitHub 支援 SSH 使用 Security Key 了

GitHub 宣佈支援使用 security key 的 SSH key 操作了：「Security keys are now supported for SSH Git operations」。

也就是需要 SSH key + security key 才有辦法認證，只有拿到 SSH key 或是 security key 都是沒有辦法認證過。

目前官方支援 ecdsa-sk 與 ed25519-sk：

Now you can use two additional key types: ecdsa-sk and ed25519-sk, where the “sk” suffix is short for “security key.”

不過在 Ubuntu 20.04 下用預設的系統只能支援 ecdsa-sk，因為 ed25519-sk 會遇到類似「ed25519 problem with libressl」這邊的問題，就算你用的是 OpenSSL。

然後生完 key 後在 ~/.ssh/config 裡面指定對 github.com 使用這把 key：

Host github.com
    IdentityFile ~/.ssh/id_ecdsa_sk

接下來操作的時候就會需要碰一下 security key 了。

OpenSSH 8.4 預設停用 ssh-rsa

前幾天 OpenSSH 8.4 釋出了：「Announce: OpenSSH 8.4 released」。

比較重要的改變是 ssh-rsa 預設變成停用，因為是使用 SHA-1 演算法的關係：

It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. For this reason, we will be disabling the "ssh-rsa" public key signature algorithm by default in a near-future release.

官方給了三個方案：

The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them.
The ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5.
The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7.

掃了一下 ~/.ssh/known_hosts，看起來目前大多都是 ssh-ed25519 了，還有少數還是 ssh-rsa。

翻了一下 Ubuntu 這邊的版本，16.04 是 7.2p2，看起來目前有支援的版本都可以用這三個。

官方有提到可以在 command 上強制關閉 ssh-rsa 測試的方法：

ssh -oHostKeyAlgorithms=-ssh-rsa user@host

現在看起來比較麻煩的是 Dropbear 的部份，我自己之前是有包 PPA 來用 (2019.78)，但看起來還是不夠新支援 ssh-ed25519 (要今年六月的 2020.79 才支援)，所以也許要找時間來把 PPA 更新到 2020.80...

另外一種方法是走 ecdsa-sha2-nistp{256,384,521} 這些演算法，不過從名字就可以知道裡面演算法的由來，卡個 NIST 在那邊看起來就不太舒服，但還是寫一下方法好了：

先用 dropbearkey 產生對應的 ecdsa host key：

sudo dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key -s 256

再來在 /etc/default/dropbear 裡面把 DROPBEAR_EXTRA_ARGS 加上對應的 ecdsa host key 資訊，這邊直接用 -r 是因為他可以重複指定，不會影響到其他的 host key 設定：

# any additional arguments for Dropbear
DROPBEAR_EXTRA_ARGS="-r /etc/dropbear/dropbear_ecdsa_host_key"

然後重跑 dropbear 就可以了。

另外有興趣的人可以用 ssh -Q key 看 openssh client 支援的演算法。

Let's Encrypt 生了新的 Root 與 Intermediate Certificate

Let's Encrypt 弄了新的 Root Certificate 與 Intermediate Certificate：「Let's Encrypt's New Root and Intermediate Certificates」。

一方面是本來的 Intermediate Certificate 也快要要過期了，另外一方面是要利用 ECDSA 降低傳輸時的頻寬成本：

On Thursday, September 3rd, 2020, Let’s Encrypt issued six new certificates: one root, four intermediates, and one cross-sign. These new certificates are part of our larger plan to improve privacy on the web, by making ECDSA end-entity certificates widely available, and by making certificates smaller.

本來有 Let's Encrypt Authority {X1,X2,X3,X4} 四組 Intermediate Certificate，都是 RSA 2048 bits。

其中 X1 與 X2 差不多都到期了 (cross-signed 的已經過了，自家 ISRG Root X1 簽的剩不到一個月)，不過這兩組已經沒在用了，這次就不管他了。

而 X3 與 X4 這兩組則是明年到期，會產生出新的 Intermediate Certificate，會叫做 R3 與 R4，跟之前一樣會被自家 ISRG Root X1 簽，以及 IdenTrust DST Root CA X3 簽：

For starters, we’ve issued two new 2048-bit RSA intermediates which we’re calling R3 and R4. These are both issued by ISRG Root X1, and have 5-year lifetimes. They will also be cross-signed by IdenTrust. They’re basically direct replacements for our current X3 and X4, which are expiring in a year. We expect to switch our primary issuance pipeline to use R3 later this year, which won’t have any real effect on issuance or renewal.

然後是本次的重頭戲，會弄出一個新的 Root Certificate，叫做 ISRG Root X2，以及兩個 Intermediate Certificate，叫做 E1 與 E2：

The other new certificates are more interesting. First up, we have the new ISRG Root X2, which has an ECDSA P-384 key instead of RSA, and is valid until 2040. Issued from that, we have two new intermediates, E1 and E2, which are both also ECDSA and are valid for 5 years.

主要的目的就是降低 TLS 連線時的 bandwidth，這次的設計預期可以降低將近 400 bytes：

While a 2048-bit RSA public key is about 256 bytes long, an ECDSA P-384 public key is only about 48 bytes. Similarly, the RSA signature will be another 256 bytes, while the ECDSA signature will only be 96 bytes. Factoring in some additional overhead, that’s a savings of nearly 400 bytes per certificate. Multiply that by how many certificates are in your chain, and how many connections you get in a day, and the bandwidth savings add up fast.

另外一個特別的修改是把名字改短 (把「Let's Encrypt Authority」拿掉)，也是為了省傳輸的成本：

As an aside: since we’re concerned about certificate sizes, we’ve also taken a few other measures to save bytes in our new certificates. We’ve shortened their Subject Common Names from “Let’s Encrypt Authority X3” to just “R3”, relying on the previously-redundant Organization Name field to supply the words “Let’s Encrypt”. We’ve shortened their Authority Information Access Issuer and CRL Distribution Point URLs, and we’ve dropped their CPS and OCSP urls entirely. All of this adds up to another approximately 120 bytes of savings without making any substantive change to the useful information in the certificate.

這個部份讓我想到之前寫的「省頻寬的方法：終極版本...」這篇，裡面提到 AWS 自家的 SSL Certificate 太胖，改用 DigiCert 的反而可以省下不少錢 XDDD

另外也提到了這次 cross-sign 的部份是對 ECDSA Root Certificate 簽 (ISRG Root X2)，而不是對 ECDSA Intermediate Certificate 簽 (E1 與 E2)，主因是不希望多一次切換的轉移期：

In the end, we decided that providing the option of all-ECDSA chains was more important, and so opted to go with the first option, and cross-sign the ISRG Root X2 itself.

這算是蠻重要的進展，看起來各家 client 最近應該都會推出新版支援。

Let's Encrypt 支援 IDN

Let's Encrypt 宣佈支援 IDN：「Introducing Internationalized Domain Name (IDN) Support」，這代表可以申請的範圍變得更廣了：

This means that our users around the world can now get free Let’s Encrypt certificates for domains containing characters outside of the ASCII set, which is built primarily for the English language.

在「Upcoming Features」可以看到下一步應該是 ECDSA Intermediates？

Let’s Encrypt only signs end-entity certificates with RSA intermediates. We will add the ability to have end-entity certs signed by an ECDSA intermediate.

不曉得之後還會有什麼功能...

密碼系統的 Monoculture

這篇文章講到最近密碼系統的現象：「On the Impending Crypto Monoculture」。

目前常在用的密碼系統包括了 RSA、DH、ECDH、ECDSA、SHA-2、AES 這些演算法，而最近這幾年大家在推廣使用的演算法都出自於同一個人手裡，Dan Bernstein，也就是 djb：

A major feature of these changes includes the dropping of traditional encryption algorithms and mechanisms like RSA, DH, ECDH/ECDSA, SHA-2, and AES, for a completely different set of mechanisms, including Curve25519 (designed by Dan Bernstein et al), EdDSA (Bernstein and colleagues), Poly1305 (Bernstein again) and ChaCha20 (by, you guessed it, Bernstein).

這些演算法或是定義，包括了 Curve25519、EdDSA、Poly1305、ChaCha20。而這篇文章試著說明造成這樣情況的背景以及原因，以及這樣會導致什麼問題。

當實際分析時會發現，檯面上沒幾個能用的演算法，而看起來能用的那幾個又有專利 (像是 OCB)，不然就是看起來被 NSA 放了一些說明不了的參數 (像是 P-256 Curve)。

然後 djb 弄出來的演算法不只看起來乾淨許多，也直接用數學模型證明安全性。而且他的實作也很理論派，像是還蠻堅持要做到 constant time implementation 以避開各種 side channel attack。

就... 理論很強，又很實戰派的一個人啊，檯面上真的沒幾隻可以打的贏啊 XD

對 ECDSA 實體非破壞性的 Side Channel 攻擊

用很簡單的設備透過 Side Channel 攻擊取得 ECDSA private key：「ECDSA Key Extraction from Mobile Devices via Nonintrusive Physical Side Channels」。這次 Side Channel 只需要簡單的線圈，透著一塊玻璃也 okay：

文章裡面提到是 Tracker Pre，查了一下二手價是 USD$80：

這邊抓出了 ADD 產生出的訊號：

然後就可以利用這些訊號重建出 private key：

After observing the elliptic-curve DOUBLE and ADD operations during a few thousand signatures, the secret signing key can be completely reconstructed.

下面中獎的 library 有點多，可以看到主要是以 constant-time implementation 或是 side-channel mitigation technique 來解這個問題。

Let's Encrypt 建立 Root Certificate 與 Intermediate Certificate

Let's Encrypt 的 Root Certificate 與 Intermediate Certificate 建出來了：「Let's Encrypt Root and Intermediate Certificates」。

Intermediate Certificate 除了會讓自己的 Root Certificate 簽名外，也會讓 IdenTrust 的 DST Root CA X3 簽 (目前各大瀏覽器與 SSL library 都有支援)。

目前是 RSA key，之後會生出 ECDSA key：

All ISRG keys are currently RSA keys. We are planning to generate ECDSA keys later this year.