Re: [Ace] EST over CoAP: Randomness

Eliot Lear <> Thu, 09 May 2019 15:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F0930120129 for <>; Thu, 9 May 2019 08:34:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fKSHJ_wO46rA for <>; Thu, 9 May 2019 08:34:06 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 91A8412010C for <>; Thu, 9 May 2019 08:34:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=6576; q=dns/txt; s=iport; t=1557416045; x=1558625645; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=/EN2JxS7BV7QIzXfaOMsHU9JvByJmKCQD7Nrp9I0+qk=; b=Wf3bz8FUIL94HMNOL67aemejTmes45D3PAvrXN5rJLmTonOybDVBK7qM WmmIW112PO5/S3T/JLF0qHIBSnvNUeY6aClg5FHywAjEi5ywNg0HhUYdW Ta/7k/W6PVkz+htlKzn4dmbbpBlEY2vH6ttDfC+61q9WKSIP1z6k+CFdj Y=;
X-Files: signature.asc : 195
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0A4AADpR9Rc/xbLJq1kGwEBAQEDAQE?= =?us-ascii?q?BBwMBAQGBVAMBAQELAYFhgWkBIBIohBGIe4wjkliGD4FnAgcBAQEJAwEBLwE?= =?us-ascii?q?BhEACgis3Bg4BAwEBBAEBAgEEbSiFSgEBAQMBI1YFCwsYKgICVwYTG4MHAYF?= =?us-ascii?q?7D603gS+FR4RfEIEyAYFOiheBf4ERJx+CTD6ECCaDIDKCJgSLS4dJlDEJggu?= =?us-ascii?q?CBoECj0wblVmeJIJ4AgQGBQIVgWUigVczGggbFWUBgkE+kBU9AzCQDAEB?=
X-IronPort-AV: E=Sophos;i="5.60,450,1549929600"; d="asc'?scan'208,217";a="11924335"
Received: from (HELO ([]) by with ESMTP/TLS/DHE-RSA-SEED-SHA; 09 May 2019 15:34:00 +0000
Received: from ( []) by (8.15.2/8.15.2) with ESMTPS id x49FY0A0023312 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 9 May 2019 15:34:00 GMT
From: Eliot Lear <>
Message-Id: <>
Content-Type: multipart/signed; boundary="Apple-Mail=_0CFF9F0C-6AD0-424B-A894-36B2A9F47F90"; protocol="application/pgp-signature"; micalg=pgp-sha1
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
Date: Thu, 9 May 2019 17:33:59 +0200
In-Reply-To: <>
Cc: "" <>
To: Hannes Tschofenig <>
References: <>
X-Mailer: Apple Mail (2.3445.104.8)
Archived-At: <>
Subject: Re: [Ace] EST over CoAP: Randomness
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 09 May 2019 15:34:08 -0000

Hi Hannes,

> On 9 May 2019, at 16:42, Hannes Tschofenig <> wrote:
> Hi all,
> I am still a bit unhappy about this paragraph:
> "
>   Constrained devices sometimes do not have the necessary hardware to
>   generate statistically random numbers for private keys and DTLS
>   ephemeral keys.  Past experience has also shown that low-resource
>   endpoints sometimes generate numbers which could allow someone to
>   decrypt the communication or guess the private key and impersonate as
>   the device [PsQs] [RSAorig].  Additionally, random number key
>   generation is costly, thus energy draining.
> “

> If you get hardware that does not have a hardware-based RNG then you are in trouble. The main security protocols we look into do not work without a source of randomness. Hence, getting the certificate & private key from the server will not get you too far.

> I believe we should encourage developers to pick the correct hardware for the task rather than making them believe we have come up with solutions that allow them to get away without a hardware-based RNG.
> I also do not believe the statement that random number key generation is costly. Can you give me some number?

I think that statement in particular is troublesome.  Even if we were to believe it to be true today by some measure, is there any reason to believe it will continue to be true?  We need to be raising the bar.

> The references to [PsQs] [RSAorig] are IMHO also not appropriate because they are conveying a different message (at least that's my understanding from reading them). The message is that you have to be careful with designing and using a random number generator on embedded systems because the sources of entropy may just not be there (like keyboards, harddisk drive, processing scheduling, etc.).

Yes.  And maybe the emphasis of this paragraph should shift as well along these lines.