[TLS] Another way to reduce signature computational cost

Sun, 19 Jul 2015 21:21:13 -0700 

Hi all,

In TLS 1.3 draft-07, server provides a ServerConfiguration message containing a 
long-term DH share.
If used on future connections:

(1) server reduces the computational cost for cipher suites where signatures 
are slower than key agreement;
(2) server omits both the Certificate or CertificateVerify message;
(3) and client encrypts zero-rtt data.


Here I'd like to give another way to reach (1), to reduce server's computational
cost for CertificateVerify message for RSA type certificate.

In normal way, the CertificateVerify is computed as:
    CA ==> CA2 ==> srv_cert_RSA --> session
where "==>" means reusing signature, and "-->" means signature for each session 
which is computation sensitive.

Maybe the server can generate a temparary ECC certificate, so the 
CertificateVerify is computed as:
    CA ==> CA2 ==> srv_cert_RSA ==> tmp_cert_ECC --> session
and the structure of CertificateVerify message becomes:

      struct {
           ECParam tmp_cert_public;
           time    tmp_cert_not_before;
           time    tmp_cert_not_after;
           digitally-signed struct {
              opaque handshake_hash[hash_length];
           }
      } CertificateVerify;


Compared to ServerConfiguration, this tmp_cert_ECC has some advantages:

* The tmp_cert only modify the CertificateVerify message.
  While the ServerConfiguration brings MS and SS concepts.

* The tmp_cert need not to be global.
  If there are multiple machines or processes behind one service,
  they must synchronize the key share for ServerConfiguration.
  In practice the key share is always configured in server's configure
  file and need rotated periodically manually, like the ticket key in Nginx.
  While the tmp_cert can be generated randomly and independently.

* The tmp_cert's lifetime could be short.
  It could be re-new after used for only 100 times, or 10 minutes.

* The tmp_cert works even for the first connection.


So could we use this tmp_cert to replace ServerConfiguration's "reducing 
computation" function?

The "omitting Certificate message" could be reached by cached-info extension.
Then the ServerConfiguration can be used for zero-rtt data exclusively.


Thanks
Bingzheng

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Reply via email to