Speaker
Francis Dupont
(ISC)
Description
1- Presentation of modular group cryptography based on Diffie-Hellman
(even DNSSEC uses on DSA, not DH, DH math is very simple so far easier
to explain and (I expect) to understand)
2- Presentation of elliptic curve cryptography in comparison with
modular group cryptography (vs all the mathematical details), e.g.,
exponentation is replaced by multiplication
3- The different parameters used in DNSSEC (primes, keys, etc),
including by PKCS#11, with some words about standard optimizations
(again not explaining them but showing how to recognize them)
4- Pros and Cons of ECDSA in DNSSEC (pros 20 times faster, smaller
parameters, cons (inherited from DSA) requires a random number for
signing, verification slower than signing)
5- ECDSA in practice (bind 9, etc) and open real world questions
(e.g., what are the registries which accept ECDSA KSKs/DS RRs)
6- A word about hidden ECC in DNSSEC (GOST which is in fact ECDSA,
Chinese commercial crypto too) as a conclusion.
Summary
RFC 6605 introduced the modern cryptography based on elliptic curves
into DNSSEC. I'll explain what are the advantages, and the few
disadvantages, to switch from current DSA/RSA keys and signatures
to Elliptic Curve Cryptography.
Primary author
Francis Dupont
(ISC)
