30 Nov 2021
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Maintained by Hanno Böck.
Future quantum computers could break all public key cryptosystems that are in mainstream use today. This has led to the development of new cryptographic algorithms that are believed to be resistant against quantum attacks. The US National Institute of Standards and Technology (NIST) is currently running a competition to develop such quantum-resistant algorithms and it is expected that within the coming years standards for these post-quantum cryptosystems will become available.
Previous experiments with post-quantum cryptography, which we have covered often in this newsletter, usually focused on the key exchange. While post-quantum key exchanges are somewhat larger and slower than today’s elliptic curve key exchanges, the overhead is believed to be manageable. However, signatures are more challenging.
All post-quantum signatures currently discussed have much larger signatures, larger public keys, or both. Some of them are also significantly slower than today’s cryptography. Cloudflare recently published data from experiments that it ran on such larger TLS handshake messages.
Modern TLS uses a lot of signatures, which has often been ignored in previous papers that analyzed post-quantum signatures in TLS. A common handshake will usually have six signatures (two in the certificates, one for OCSP stapling, two for Certificate Transparency SCTs, and one to sign the handshake).
Using any of the existing post-quantum signature proposals as a drop-in replacement is challenging. The Cloudflare experiment comes to the conclusion that going beyond nine kilobytes in ServerHello would add significant performance issues. This would only be possible with the smallest of the proposed signature schemes, called Falcon. But Falcon comes with challenges in regard to constant time implementation and side-channel attacks.
It is possible to conceive of ways to change the TLS protocol so that it can require fewer signatures. For example, the KEMTLS proposal would eliminate the handshake signature. Intermediate certificates could be cached. Certificate revocation via OCSP and OCSP stapling has never worked very well, and browsers have moved to using centralized revocation lists like Mozilla’s CRLset. Some signatures could be replaced by stateful signature schemes.
But each of these ideas requires rethinking how TLS works on sometimes very fundamental levels. And major changes in the TLS ecosystem come with their own challenges.
This subscription is just for the newsletter; we won't send you anything else.
Here are some interesting jobs we've come across in the last month:
If you know of similar jobs that our readers might be interested in, for example cryptography, TLS, or PKI, let us know and we may add them to future newsletters.
And here are some resources that you might find useful:
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof TLS and PKI, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 1,500 students who have benefited from more than a decade of deep TLS and PKI expertise.