Re: [Dtls-iot] Reference to Heninger Paper
Hannes Tschofenig <hannes.tschofenig@gmx.net> Tue, 21 July 2015 12:41 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: dtls-iot@ietfa.amsl.com
Delivered-To: dtls-iot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D10AC1A1B57 for <dtls-iot@ietfa.amsl.com>; Tue, 21 Jul 2015 05:41:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OYOecm576vOs for <dtls-iot@ietfa.amsl.com>; Tue, 21 Jul 2015 05:41:20 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F00D1A1B88 for <dtls-iot@ietf.org>; Tue, 21 Jul 2015 05:41:20 -0700 (PDT)
Received: from [192.168.10.134] ([31.133.152.120]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0MV5tl-1ZRhqL0Jbx-00YPaJ; Tue, 21 Jul 2015 14:41:16 +0200
Message-ID: <55AE3DE9.6070700@gmx.net>
Date: Tue, 21 Jul 2015 14:41:13 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "dtls-iot@ietf.org" <dtls-iot@ietf.org>
References: <55A640D9.5070005@gmx.net> <55A64353.2080709@cs.tcd.ie>
In-Reply-To: <55A64353.2080709@cs.tcd.ie>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="FixN7nKg6QCNe0vaXXKFUqgticdLEDJQ8"
X-Provags-ID: V03:K0:Bu/XIpg9GzQSpOiubG48fqMMN6qf7OZwCfbIk5Wh7PGf/DvCXPa l22d7WE9jBCWvETswbYNewlS6EoBpgklAXwQTQAD5Fq6QjAxeEYHiQQJ9N/quoPPru/KlGj htRTCNKtWKNsz7tSTuCjnVOdBUBy41pby7h+YiZrGsZKPcG2DEBMvU7bJk7+t946kyNTuwV i6aVRsd6DW54OWjYkKGHQ==
X-UI-Out-Filterresults: notjunk:1;V01:K0:Bshkz0L47WQ=:nTbKm/vuCbWXukOjugbjou rT82jEV5Z+RuuAIwG10xMfFWNDKzuRwtdKvDxr9vtRXBcrrUZojctvW5/3t5u1nguI8x/RPGg ECKnh2xIdOjM/TEywJx9cIoSwyQyvupZABExlaZD57tRfD+EpDns+Q0eVu0LcMKjNwzVU3FnA Di6VFjNAC4+lbGEy2Aa5UHmRoIrAteeRTQG6Gx6dW4CnGTnKfDmAyDoLp0HNhws29yBWmArw9 DpxmEEespkfdmQoFYNwscLyxaOH7X3xDwYsXf+rnfD9+h3YQKaNqDYj2vvXOLpY+9bU/31yQp O0htr4NTi4eK6TBrwJitN326doZXIt2nlkS4L5FIjz+NJfMtGTwgDZJkshtua2Ex0VBffIZLy WTBjbgu3Jzs0jKexivo7bb6stVKkuh75QsDVaj9Nnt9EXxQlCXSIe9uhtbPG7hm1azeQvBiMH 3gYQ1YHT6fmBuKX8jwQeOpZp9oaR4cDuz+rw6cVqyAk1mcdoyb8TPsHx+/VTfjcj3jtZpGCc5 XYWQrFrY7X9S574PdRFPKWi6vHZrRbCAwfHQP3ETFeBdNWw1oeWjBjSQjktI7rbgIok5IrcKV gw00lh8u3MLLCyC1u83ZHSU+inwsU1X2cB4sEI7S7UlHWDOA+lBrybVM33opy2xi2S/rr7RyX LzGZvjPgwUxs/9tcdH0ASMZxtBo7B12nA/Q2XI/RapR1O6w==
Archived-At: <http://mailarchive.ietf.org/arch/msg/dtls-iot/izrvTOxTpsA5_8_T72TcG5jhNnc>
Subject: Re: [Dtls-iot] Reference to Heninger Paper
X-BeenThere: dtls-iot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DTLS for IoT discussion list <dtls-iot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtls-iot/>
List-Post: <mailto:dtls-iot@ietf.org>
List-Help: <mailto:dtls-iot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jul 2015 12:41:25 -0000
Hi Stephen, I discussed the issue with Thomas, my co-author, and we know understand the misunderstanding. We thought it would be easier to remove the reference to the Heninger paper. Here is the new text: --------------------------------- 14. Random Number Generation The TLS/DTLS protocol requires random numbers to be available during the protocol run. For example, during the ClientHello and the ServerHello exchange the client and the server exchange random numbers. Also, the use of the Diffie-Hellman exchange requires random numbers during the key pair generation. It is important to note that sources contributing to the randomness pool on laptops, or desktop PCs are not available on many IoT device, such as mouse movement, timing of keystrokes, air turbulence on the movement of hard drive heads, etc. Other sources have to be found or dedicated hardware has to be added. Lacking sources of randomness in an embedded system may lead to the same keys generated again and again. --------------------------------- Ciao Hannes On 07/15/2015 01:26 PM, Stephen Farrell wrote: > > Hiya, > > On 15/07/15 12:15, Hannes Tschofenig wrote: >> Stephen wrote: >> >> (7) 14: Doesn't [Heninger] really cause many devices to use one RSA >> prime factor? That's not the same as "same keys again and again" and in >> any case you're not recommending RSA keys on challenged nodes here. >> Shouldn't you do the analysis of the impact of a dodgy PRNG on >> populations of devices that follow these profiles and not something else? >> >> >> Heninger did an analysis of the deploy infrastructure of that time and >> RSA is in widespread use. Hence, her analysis focuses on the problems >> with RSA keys. >> >> However, her observations are general in the sense that a non-existent >> or bad random number generator will lead to output that is predictable >> or the same with a number of devices. This is essentially what I write. >> >> Copy-and-paste from the text: >> >> --- >> Special care has to >> be taken when generating random numbers in embedded systems as many >> entropy sources available on desktop operating systems or mobile >> devices might be missing, as described in [Heninger]. Consequently, >> if not enough time is given during system start time to fill the >> entropy pool then the output might be predictable and repeatable, for >> example leading to the same keys generated again and again. > > It's that last bit that's wrong though. With RSA it was the same first > prime being "found" with non-negligible probability. As far as we know > all the same-key cases are because the private key was installed. And > even with e.g. ECDSA privates of randoms-used-in-signing, if one can > predict some but not all bits, one still wins the game I think. > > So s/same keys/weak keys/ would be ok and the reason this is notable > is that I think there are likely developers out there who'd think that > they must be fine if the public key values are unique. [Heninger] > shows us that's not the case. > > Even better than s/same keys/weak keys/ would be to explain a bit > more about [Heninger] - say a para like the above. > > Cheers, > S. > > > >> --- >> >> >> >> _______________________________________________ >> dtls-iot mailing list >> dtls-iot@ietf.org >> https://www.ietf.org/mailman/listinfo/dtls-iot >> > > > > _______________________________________________ > dtls-iot mailing list > dtls-iot@ietf.org > https://www.ietf.org/mailman/listinfo/dtls-iot >
- [Dtls-iot] Reference to Heninger Paper Hannes Tschofenig
- Re: [Dtls-iot] Reference to Heninger Paper Stephen Farrell
- Re: [Dtls-iot] Reference to Heninger Paper Hannes Tschofenig