Re: [Cfrg] randomness improvements via DHE/ECDHE, was: [Re: I-D Action: draft-irtf-cfrg-randomness-improvements-01.txt]
Natanael <natanael.l@gmail.com> Tue, 03 July 2018 14:35 UTC
Return-Path: <natanael.l@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B1A5130E04; Tue, 3 Jul 2018 07:35:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tp4F2jYTAHA1; Tue, 3 Jul 2018 07:35:49 -0700 (PDT)
Received: from mail-ed1-x542.google.com (mail-ed1-x542.google.com [IPv6:2a00:1450:4864:20::542]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F8CB130E35; Tue, 3 Jul 2018 07:35:49 -0700 (PDT)
Received: by mail-ed1-x542.google.com with SMTP id d3-v6so1806788edi.1; Tue, 03 Jul 2018 07:35:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=G2ghCyKHIXEKBr1goplHHjM5kOiH8UyPipv1SQpBKBc=; b=b3Efawrw++UCtXaWZVvo1BPCcLWK/BZTMOxXbwCF7Cw6fw26XdVsFXfn8vygYA6G4f V0CaBvgWrZJuvfvL23ve25gxTejb9Cxj99Zq+dKkAbUSvUVnibFNf2EAJpJMe8Q+uyOH wg36tKsUQbk7ASmfMtP3SNVb8oDLA3eWp2JJtz4RAIZMa56OvYY6pu43agOlokEpgWih vklKFHcV+8lXMUU2xq3xonWg0fzON6OYe8dW/XbhZVzMLO3IUmFY5hD4IDcvm0Rv9UAJ nRG3BrS5+4HqA4MElqWi+8KeSZqz/XayCOoDjkGY9wgWpzdoLLd5YNS14Ojlshb/jt8D DiBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=G2ghCyKHIXEKBr1goplHHjM5kOiH8UyPipv1SQpBKBc=; b=WWuxDDCt+j1w4vUoWz7Qg/n0SznSmLu7HyH6sY/ZgV9mNm6aeYBE450NuJSlqnjAwM PF83S1BD+Pnx0Obu/n4qDbnvlqW6HWNP/z0bXJKKq7W796FlwI4CggqYAFLApKO5f4Ao XUWmy8PVqKFWR438YA/Vkqw6BMM6vUHZg5XXoDYZmJsdDq68dWIcabzsQlwxuTAjLb5x Yh/BI1p532/Xk2XNDlNBvKCsnxf9iySBgw/2gEJbMPTt9zVJFc1CDZ7EwLojxRpkYDIy xD+muDcoueJBbB0oN2F8XK54lAOjHStSmFUy5GxkuwoW6Kge7hAQ5WI7K32mJtkuEvlM ORow==
X-Gm-Message-State: APt69E1WAUKp3aQ+APa/Cbykl5gnHSuP1mov7RthQTVs4Tcwd0gLNGkg Bmh08NHG+YhyJggTrMHf8Is/eabPHSEZJA1i6rw=
X-Google-Smtp-Source: AAOMgpdfD/mx+zVriWLYLBfqf7FE8WzhPIa45rHZIVTHKNHhzP+FGs7u4M8F8FCHU2AwlUE7qriNA1kiOh6FKof3AfY=
X-Received: by 2002:a50:c28a:: with SMTP id o10-v6mr10977900edf.296.1530628547479; Tue, 03 Jul 2018 07:35:47 -0700 (PDT)
MIME-Version: 1.0
References: <153057074266.16504.3005107465775487514@ietfa.amsl.com> <20180703133832.GG26205@io.lakedaemon.net>
In-Reply-To: <20180703133832.GG26205@io.lakedaemon.net>
From: Natanael <natanael.l@gmail.com>
Date: Tue, 03 Jul 2018 16:35:33 +0200
Message-ID: <CAAt2M1_M3dKO=G-iepbnRWrZHa39WdUqp+J_4UNwXK3DTmxg+g@mail.gmail.com>
To: Jason Cooper <cfrg@lakedaemon.net>
Cc: internet-drafts@ietf.org, cfrg@ietf.org, i-d-announce@ietf.org
Content-Type: multipart/alternative; boundary="000000000000db0da70570193a2e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/OyqEVoGTWFEPfFXLnGHEvnNBnnU>
Subject: Re: [Cfrg] randomness improvements via DHE/ECDHE, was: [Re: I-D Action: draft-irtf-cfrg-randomness-improvements-01.txt]
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jul 2018 14:35:52 -0000
Den tis 3 juli 2018 15:39Jason Cooper <cfrg@lakedaemon.net> skrev: > I'm interested in doing an extension / > follow-on to this RFC that would use ephemeral shared secrets derived > from DHE or ECDHE. > > The scenario being: a constrained device, on first boot, empty entropy > pool. It uses it's long-term private key to seed the pool as you've > outlined. > > Then, to strengthen the pool, it does DHE/ECDHE negotiations with > multiple peers on it's local network. The ephemeral shared secret from > each of those negotiations is then fed into the entropy pool. How to do > this securely would be the bulk of the proposed RFC. > Just remembered having seen this before via the metzdowd mailing list. Recap: If you already have enough entropy in the private key / ephemeral secret for these key exchanges to be completely secure, then you do not need more entropy. If you don't, then active attackers or anybody else with a full log of these data packets can break the scheme by deriving your original secret and thus decrypting / deriving all other secrets you collected. Other than that, the entropy gained per key exchange is about equivalent to the size of the ephemeral secrets used (for some definitions of entropy...). This is typically something like 256 bits. This is also assuming those other peers started off with secure entropy! You gain nothing from peers that have no entropy to add from the start. Also you don't get much from additional exchanges with the same peer, as an attacker only need to guess the original input but not subsequent ones. So assuming your key exchanges are NOT monitored, you only need one successful exchange with a FULLY trusted peer (at the time of the exchange) to get enough local entropy. Assuming a network of nodes where none has sufficient entropy and none has a good entropy source, you can likely NOT collect enough entropy from this network on any single device to be secure. Chosen / derived key material is only a problem in a few special cases, where for example (for some key exchange algorithms) the adversary can control the output bits of the key exchange. With a secure local algoritm for including the external entropy into the local pool, this is not security risk for your pool as it only means nothing were added. Best case scenario for your algorithm: a bunch of trustworthy and isolated low power nodes have some entropy, which is *independent* of each other, but perhaps not enough to be secure (maybe 60 bits or so), and then they collectively help each other to gather enough entropy. Note: in this case we would expect the long term key to need replacement once we have enough entropy, if it's not random enough. All nodes would need to erase their initial randomness to protect the other nodes too. Proper entropy seeding is almost always the better alternative. That, or including good hardware RNG:s.
- [Cfrg] I-D Action: draft-irtf-cfrg-randomness-imp… internet-drafts
- [Cfrg] randomness improvements via DHE/ECDHE, was… Jason Cooper
- Re: [Cfrg] randomness improvements via DHE/ECDHE,… Natanael