James A. Donald (jamesd@echeque.com)
Wed, 13 Jan 1999 22:16:52 -0800
--
Why are secure web pages are so !@#$%^&*()_ slow
I conjecture the problem is as follows, and I am posting to
ask if this conjecture is correct.
Suppose you want to communicate with your bank:
I suspect that every time you hit the server for a new page
the following happens:
Your browser opens a channel to the server, if it does not
already have an open encrypted channel, which it usually does
not.
Your browser initiates a DH construction of a shared secret
by sending a public key, based on a secret key made up on the
spur of the moment, for this particular interaction, to the
web server
The web server responds with a similar public key for the DH
exchange, made up on the spur of the moment, but signed using
its permanent secret key, plus a signed declaration from
Verisign, declaring that the signature belongs to the
rightful owner of web site so and so.
Let us call these keys made up on the spur of the moment the
ephemeral keys.
Your browser uses its ephemeral secret key and the server's
ephemeral public key to generate a shared secret. The server
uses its ephemeral secret key and your ephemeral public key
to generate the same shared secret.
Using this shared secret, your browser and the web server
then finally have a fully encrypted channel, encrypted using
128 bit encryption. The server or the browser may give away
88 bits of this key, as required by government legislation to
make life easier for snoopers.
In order to get to the shared secret we have had one
additional back and forth exchange that we did not need when
conversing in the clear, plus a several public key
operations.
Your browser then uses this channel to send the URL and any
relevant cookies. The server looks at the cookie, figures
out that you are the same entity who sent them a four digit
pin a few minutes ago, and sends you the relevant page.
So all this great encryption is used to merely prove
possession of a shared four digit secret. Oh wow!
We could have started by using possession of a shared secret
to encrypt the channel and skipped all the transactions
needed to set up the channel.
Or we could have started by using possession of each other's
public keys, no shared secrets, thus enabling us to use the
same passphrase for everyone.. Your browser could have
remembered the banks public key from last time, opened a
channel, sent an ephemeral secret encrypted to the banks
public key and signed using your secret key, which it the
bank recorded when you originally set up the relationship,
then immediately encrypted the channel, and then immediately
sent the URL encrypted, without any of the preliminary
exchange of messages.
It appears to me that you could cut this crap if whenever you
registered with someone, whenever you subscribed to someone,
your browser remembered their DH key, and their server
remembered your DH key in the manner described by Schneier,
chap 22, "Key exchange without exchanging keys.", thus
eliminating all public key operations and all the preliminary
operations needed to open a channel.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
EiGOI9sMWK5NnEAokn8UYJI4XFTRRQep5KfaHGqq
4yVp9QMb7i+CHNp05Ni9oJN2Yowopj9ogGkiad2Vt
-----------------------------------------------------
We have the right to defend ourselves and our property, because
of the kind of animals that we are. True law derives from this
right, not from the arbitrary power of the omnipotent state.
http://www.jim.com/jamesd/ James A. Donald
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:03