[Cfrg] Spencer Dawkins' No Objection on draft-irtf-cfrg-randomness-improvements-12: (with COMMENT)
Spencer Dawkins via Datatracker <firstname.lastname@example.org> Tue, 26 May 2020 22:36 UTC
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id DFFEB3A0AA2; Tue, 26 May 2020 15:36:07 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
From: Spencer Dawkins via Datatracker <email@example.com>
To: "The IRSG" <firstname.lastname@example.org>
Cc: email@example.com, firstname.lastname@example.org, email@example.com, Alexey Melnikov <firstname.lastname@example.org>, email@example.com
Reply-To: Spencer Dawkins <firstname.lastname@example.org>
Date: Tue, 26 May 2020 15:36:07 -0700
Subject: [Cfrg] Spencer Dawkins' No Objection on draft-irtf-cfrg-randomness-improvements-12: (with COMMENT)
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:email@example.com?subject=unsubscribe>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:firstname.lastname@example.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2020 22:36:08 -0000
Spencer Dawkins has entered the following ballot position for draft-irtf-cfrg-randomness-improvements-12: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-irtf-cfrg-randomness-improvements/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- This seems a fine document. I do have some nits, and questions about BCP14 usage. Do the right thing, of course. I'm thinking that the mentions of "Dual_EC_DRBG" and "Debian bugs" may not be meaningful to future readers ("RFCs are forever") in the Abstract without references (which we don't put in Abstracts). Randomness is a crucial ingredient for Transport Layer Security (TLS) and related security protocols. Weak or predictable "cryptographically-strong" pseudorandom number generators (CSPRNGs) can be abused or exploited for malicious purposes. The Dual_EC_DRBG ^^^^^^^^^^^^^^^^ random number backdoor and Debian bugs are relevant examples of this ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ problem. An initial entropy source that seeds a CSPRNG might be weak ^^^^^^^ or broken as well, which can also lead to critical and systemic security problems. This document describes a way for security protocol participants to augment their CSPRNGs using long-term private keys. This improves randomness from broken or otherwise subverted CSPRNGs. Perhaps that sentence could be omitted, since both are mentioned in the Introduction with references? I know that CSPRNG is expanded in the Abstract, but I'd suggest expaanding it on first use in the text. Randomness is a crucial ingredient for TLS and related transport security protocols. TLS in particular uses random number generators (generally speaking, CSPRNGs) to generate several values: session ^^^^^^^ I understood 2. An adversary Adv with full control of a (potentially broken) CSPRNG and able to observe all outputs of the proposed construction, does not obtain any non-negligible advantage in leaking the private key, modulo side channel attacks. ^^^^^^^^^^^^^^^^^^^^^^^^^^^ as saying "without using side channel attacks" - did I get that right? But you might consider being a little less terse than "modulo". This text Let G(n) be an algorithm that generates n random bytes, i.e., the output of a CSPRNG. Define an augmented CSPRNG G' as follows. Let Sig(sk, m) be a function that computes a signature of message m given private key sk. Let H be a cryptographic hash function that produces output of length M. Let Extract(salt, IKM) be a randomness extraction function, e.g., HKDF-Extract [RFC5869], which accepts a salt and input keying material (IKM) parameter and produces a pseudorandom key of L bytes suitable for cryptographic use. It must be a secure PRF (for salt as a key) and preserve uniformness of IKM (for details see [SecAnalysis]). L SHOULD be a fixed length. Let Expand(k, info, n) be a variable-length output PRF, e.g., HKDF-Expand [RFC5869], that takes as input a pseudorandom key k of L bytes, info string, and output length n, and produces output of n bytes. Finally, let tag1 be a fixed, context-dependent string, and let tag2 be a dynamically changing string (e.g., a counter) of L' bytes. We require that L >= n - L' for each value of tag2. has an interesting mix of normative ("SHOULD"), apparently non-normative ("MUST"), semi-normative ("We require that X"), and asserted ("Let A be X") constraints. Are you sure this variety is necessary? At a minimum, you might consider giving guidance about when an implementer might use variable-length Ls, so that implementers could better understand when it's appropriate to use them. Is Both tags SHOULD be generated such that they never collide with another contender or owner of the private key. This can happen if, for example, one HSM with a private key is used from several servers, or if virtual machines are cloned. actually a normative SHOULD? If the tags do collide, what happens? (If it's Really Bad, why is this not a MUST?) Is there a reason an implementer would need to ignore this requirement? I have roughly the same question about Tag strings SHOULD be constructed as follows: ^^^^^^ What happens if they aren't? Why would an implementer need to construct them some other way? And about Recall that the wrapper defined in Section 3 requires L >= n - L', where L is the Extract output length and n is the desired amount of randomness. Some applications may require n to exceed this bound. Wrapper implementations SHOULD support this use case by invoking G' ^^^^^^ multiple times and concatenating the results. Wha happens if the implementation doesn't? Why would an implementation need to support this use case some other way? In this text The proposed construction cannot provide any guarantees of security if the CSPRNG state is cloned due to the virtual machine snapshots or process forking (see [MAFS2017]). Thus tag1 SHOULD incorporate all ^^^^^^ available information about the environment, such as process attributes, virtual machine user information, etc. the second sentence looks more like guidance than a normative requirement to me.
- [Cfrg] Spencer Dawkins' No Objection on draft-irt… Spencer Dawkins via Datatracker