Re: [dsfjdssdfsd] Should secure RNGs be a MUST?
Sandy Harris <sandyinchina@gmail.com> Tue, 11 March 2014 23:46 UTC
Return-Path: <sandyinchina@gmail.com>
X-Original-To: dsfjdssdfsd@ietfa.amsl.com
Delivered-To: dsfjdssdfsd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F08621A087B for <dsfjdssdfsd@ietfa.amsl.com>; Tue, 11 Mar 2014 16:46:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ii_tcwF-9VVy for <dsfjdssdfsd@ietfa.amsl.com>; Tue, 11 Mar 2014 16:46:14 -0700 (PDT)
Received: from mail-ve0-x22c.google.com (mail-ve0-x22c.google.com [IPv6:2607:f8b0:400c:c01::22c]) by ietfa.amsl.com (Postfix) with ESMTP id A739A1A0857 for <dsfjdssdfsd@ietf.org>; Tue, 11 Mar 2014 16:46:14 -0700 (PDT)
Received: by mail-ve0-f172.google.com with SMTP id jx11so9309306veb.17 for <dsfjdssdfsd@ietf.org>; Tue, 11 Mar 2014 16:46:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=dN2F7zG3/2WysLafEENOW52HVyCsCcjhhF/gF8gdRyo=; b=RAvvjcVpOmp71P3gNkdP5HS3GKJqHJ78BFwL2csmQ4upeqvCVA/7/vIg11X+3VdNEP nouWn052pfskC7hJsAgiEgpR9jXNgXKmWwvwoVCfw88gu/K4kR0GMV17FE+y7VL4T7IH y+bhPQ9vACp/FFwrhRYgRuS4CP1SIREDx7g8rBKA7Q42TUHw98v2QPuNHCcn5OLx4Vjx SqnR3/hD89DQMQgt/Vb5QpNEumMsS0ZzI+6cUvkt1vJi8YnHCU5grX6u/q5XAyrvt60i z0EoOg5BQtcSMEXyKK8FNB55zhd7qmyfJpncTApglamjGyDYmGgRsu7CykA50R7hLh0L IRSw==
MIME-Version: 1.0
X-Received: by 10.221.74.65 with SMTP id yv1mr32360vcb.31.1394581568502; Tue, 11 Mar 2014 16:46:08 -0700 (PDT)
Received: by 10.58.234.4 with HTTP; Tue, 11 Mar 2014 16:46:08 -0700 (PDT)
In-Reply-To: <531F5573.1050905@akr.io>
References: <810C31990B57ED40B2062BA10D43FBF5C523AD@XMB116CNC.rim.net> <531F5573.1050905@akr.io>
Date: Tue, 11 Mar 2014 19:46:08 -0400
Message-ID: <CACXcFmnX86-mOGohL8K=y1kQ7NuZRoi3hZ2JiVuYu9=4GsH1mw@mail.gmail.com>
From: Sandy Harris <sandyinchina@gmail.com>
To: dsfjdssdfsd@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Archived-At: http://mailarchive.ietf.org/arch/msg/dsfjdssdfsd/isCM0Rq8RcSu3rciUZHBCf2sHmI
Subject: Re: [dsfjdssdfsd] Should secure RNGs be a MUST?
X-BeenThere: dsfjdssdfsd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The dsfjdssdfsd list provides a venue for discussion of randomness in IETF protocols, for example related to updating RFC 4086." <dsfjdssdfsd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dsfjdssdfsd/>
List-Post: <mailto:dsfjdssdfsd@ietf.org>
List-Help: <mailto:dsfjdssdfsd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Mar 2014 23:46:17 -0000
On Tue, Mar 11, 2014 at 2:26 PM, Alyssa Rowan <akr@akr.io> wrote: > On 11/03/2014 17:08, Dan Brown wrote: > >> So, I am not totally sure about the question of whether secure >> RNGs should be a MUST. I wonder what others think. > > Given this list exists, I'd say yes: going forward, they MUST be. <g> > > Regarding your counterargument: I think security considerations > warrant MUST. Absolutely, at least in any protocols whose security properties matter, and often elsewhere as well. > I think secure RNGs really need to be considered a vital component to > analyse. ... > > We should consider how robust protocols may be if those requirements > are not met, and generally prefer (as a "safety net") protocols which > do not fail catastrophically if the RNG is weak, ... I cannot think offhand of a protocol that uses random numbers and does not fail with bad ones. Sometimes, as in choosing TCP sequence numbers, it may not matter a lot, but I am not even certain of that. There are many examples of important security protocols that fail disastrously -- as in do not achieve any of their design goals -- if a weak RNG is used. Here are some: The Diffie-Hellman key negotiation protocol -- used by at least IPsec, SSL/TLS and SSH, and for all I know others -- can be straightforwardly broken if either party uses a weak RNG. The break gives the enemy the shared key, which lets him break both the encryption and the packet-level authentication. PGP generates a random key and uses it to encrypt the message with an efficient block cipher. Then it uses public key methods to safely deliver that key to recipients. A sufficiently bad RNG could therefore break PGP. RNGs are also required for most types of key generation for any public key algorithm. The recent findings of massive duplication of TLS keys (a fatal flaw) on the net was attributed mainly to linux-based routers that failed to initialise their RNGs correctly. The DSA algorithm may be a standard, but it is horrendously flawed. A single use with a bad RNG or multiple uses if each leaks a bit of random material, completely break it, letting an attacker get the private key. https://en.wikipedia.org/wiki/Digital_Signature_Algorithm#Sensitivity Some people, including me, suspect that such a flawed method could only have been standardised as a deliberate attempt to facilitate monitoring.
- Re: [dsfjdssdfsd] Should secure RNGs be a MUST? Dan Brown
- [dsfjdssdfsd] Should secure RNGs be a MUST? Dan Brown
- Re: [dsfjdssdfsd] Should secure RNGs be a MUST? Alyssa Rowan
- Re: [dsfjdssdfsd] Should secure RNGs be a MUST? Alyssa Rowan
- Re: [dsfjdssdfsd] Should secure RNGs be a MUST? dan
- Re: [dsfjdssdfsd] Should secure RNGs be a MUST? Stephen Farrell
- Re: [dsfjdssdfsd] Should secure RNGs be a MUST? Sandy Harris