Re: [Dtls-iot] Reference to Heninger Paper
Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 15 July 2015 11:26 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dtls-iot@ietfa.amsl.com
Delivered-To: dtls-iot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22EEE1A86F4 for <dtls-iot@ietfa.amsl.com>; Wed, 15 Jul 2015 04:26:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eI3kVgltKhSR for <dtls-iot@ietfa.amsl.com>; Wed, 15 Jul 2015 04:26:13 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47CA71A88C6 for <dtls-iot@ietf.org>; Wed, 15 Jul 2015 04:26:13 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 17051BE53; Wed, 15 Jul 2015 12:26:12 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iq10lEBDqzoI; Wed, 15 Jul 2015 12:26:11 +0100 (IST)
Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id C9310BE50; Wed, 15 Jul 2015 12:26:11 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1436959571; bh=D71e+FSzX9a1/umMmSVXWVdN9ijHmau4XaNX8L5rsKQ=; h=Date:From:To:Subject:References:In-Reply-To:From; b=jZrIpbfwXGGrfqAJRsZy6oLdQWwOcJ2ou3JDA0iaihzJ0p8IrLX3W4Hl7b48ANQAM BqRimNc/vkZNzud1DTAPMOoxd3bdlSDfQlSFl4Uzu6jWUdMcjMjTeaRMHLbJiNmBFJ 0uhmq5zUqwuVAVvZ1YIbVt3FN0DTR7dyAq1Bm6rQ=
Message-ID: <55A64353.2080709@cs.tcd.ie>
Date: Wed, 15 Jul 2015 12:26:11 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "dtls-iot@ietf.org" <dtls-iot@ietf.org>
References: <55A640D9.5070005@gmx.net>
In-Reply-To: <55A640D9.5070005@gmx.net>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="OESrfX2FgVXlabSs7fOO6dtSuW3FPAhA9"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dtls-iot/MK3HgyEHZ9SO4HR-WqMOTIkHddM>
Subject: Re: [Dtls-iot] Reference to Heninger Paper
X-BeenThere: dtls-iot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DTLS for IoT discussion list <dtls-iot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtls-iot/>
List-Post: <mailto:dtls-iot@ietf.org>
List-Help: <mailto:dtls-iot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2015 11:26:15 -0000
Hiya, On 15/07/15 12:15, Hannes Tschofenig wrote: > Stephen wrote: > > (7) 14: Doesn't [Heninger] really cause many devices to use one RSA > prime factor? That's not the same as "same keys again and again" and in > any case you're not recommending RSA keys on challenged nodes here. > Shouldn't you do the analysis of the impact of a dodgy PRNG on > populations of devices that follow these profiles and not something else? > > > Heninger did an analysis of the deploy infrastructure of that time and > RSA is in widespread use. Hence, her analysis focuses on the problems > with RSA keys. > > However, her observations are general in the sense that a non-existent > or bad random number generator will lead to output that is predictable > or the same with a number of devices. This is essentially what I write. > > Copy-and-paste from the text: > > --- > Special care has to > be taken when generating random numbers in embedded systems as many > entropy sources available on desktop operating systems or mobile > devices might be missing, as described in [Heninger]. Consequently, > if not enough time is given during system start time to fill the > entropy pool then the output might be predictable and repeatable, for > example leading to the same keys generated again and again. It's that last bit that's wrong though. With RSA it was the same first prime being "found" with non-negligible probability. As far as we know all the same-key cases are because the private key was installed. And even with e.g. ECDSA privates of randoms-used-in-signing, if one can predict some but not all bits, one still wins the game I think. So s/same keys/weak keys/ would be ok and the reason this is notable is that I think there are likely developers out there who'd think that they must be fine if the public key values are unique. [Heninger] shows us that's not the case. Even better than s/same keys/weak keys/ would be to explain a bit more about [Heninger] - say a para like the above. Cheers, S. > --- > > > > _______________________________________________ > dtls-iot mailing list > dtls-iot@ietf.org > https://www.ietf.org/mailman/listinfo/dtls-iot >
- [Dtls-iot] Reference to Heninger Paper Hannes Tschofenig
- Re: [Dtls-iot] Reference to Heninger Paper Stephen Farrell
- Re: [Dtls-iot] Reference to Heninger Paper Hannes Tschofenig