Bringing elliptic curve cryptography into the mainstream

In this talk I will describe how CloudFlare helped take elliptic curve cryptography from a promising technology with low adoption to core part of the HTTPS revolution.

Two years ago, almost every public key used on the web for HTTPS was an RSA key. In 2013, the zmap team from University of Michigan scanned the entire web and found fewer than twenty non-RSA certificates. Over the next two years, CloudFlare took that number into the millions with the Universal SSL project. We’ll describe how using ECDSA (Elliptic Curve Digital Signature Algorithm) keys instead of RSA keys played a crucial role in enabling this project. With Universal SSL, any website can become HTTPS-enabled for free.

Elliptic curve cryptography is not just useful for HTTPS, there are other protocols for which it provides an advantage over RSA. One of these is DNSSEC, the algorithm that lets administrators digitally sign DNS records for authenticity. DNSSEC been described as difficult deploy and dangerous because of the potential to abuse it in amplification/reflection attacks. In October 2015, CloudFlare launched its automated DNSSEC beta program. We’ll describe some of the tweaks we made to easily scale DNSSEC to millions of zones and how ECDSA keys helped solve some of the protocol’s major issues.

Stanford Security Lunch
November 4, 2015