IETF Logo Mail Archive

Re: [hybi] "fresh" and "uniformly at random":

Adam Barth <ietf@adambarth.com> Sat, 18 June 2011 06:27 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2C9E11E811E for <hybi@ietfa.amsl.com>; Fri, 17 Jun 2011 23:27:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.295
X-Spam-Level:
X-Spam-Status: No, score=-3.295 tagged_above=-999 required=5 tests=[AWL=-0.318, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tlM0oaNL4p6v for <hybi@ietfa.amsl.com>; Fri, 17 Jun 2011 23:27:58 -0700 (PDT)
Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by ietfa.amsl.com (Postfix) with ESMTP id ED4C011E807C for <hybi@ietf.org>; Fri, 17 Jun 2011 23:27:57 -0700 (PDT)
Received: by gwb20 with SMTP id 20so123460gwb.31 for <hybi@ietf.org>; Fri, 17 Jun 2011 23:27:57 -0700 (PDT)
Received: by 10.236.154.4 with SMTP id g4mr2054785yhk.127.1308378476946; Fri, 17 Jun 2011 23:27:56 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by mx.google.com with ESMTPS id i6sm3352068anm.51.2011.06.17.23.27.55 (version=SSLv3 cipher=OTHER); Fri, 17 Jun 2011 23:27:55 -0700 (PDT)
Received: by yxt33 with SMTP id 33so2586275yxt.31 for <hybi@ietf.org>; Fri, 17 Jun 2011 23:27:55 -0700 (PDT)
Received: by 10.90.249.28 with SMTP id w28mr3504183agh.40.1308378475134; Fri, 17 Jun 2011 23:27:55 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.90.65.13 with HTTP; Fri, 17 Jun 2011 23:27:25 -0700 (PDT)
In-Reply-To: <000401cc2cf3$106d37d0$3147a770$@noemax.com>
References: <000401cc2cf3$106d37d0$3147a770$@noemax.com>
From: Adam Barth <ietf@adambarth.com>
Date: Fri, 17 Jun 2011 23:27:25 -0700
Message-ID: <BANLkTim_-kytRUdG-X51fFZY+Gj4mcypnQ@mail.gmail.com>
To: Arman Djusupov <arman@noemax.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: hybi@ietf.org
Subject: Re: [hybi] "fresh" and "uniformly at random":
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jun 2011 06:27:58 -0000

The term "fresh" is a term of art in cryptography.  It means, roughly,
"not used previously."  The term "uniformly at random" means draw from
the uniform random distribution over the set of all 32-bit sequences.
Both qualifications are necessary for this purpose.

Adam


On Fri, Jun 17, 2011 at 6:32 AM, Arman Djusupov <arman@noemax.com> wrote:
> Hello,
>
> Reading carefully the following paragraph I was left wondering what is exactly meant by the use of "fresh" and "uniformly at random":
>
> "When preparing a masked frame, the client MUST pick a fresh masking key uniformly at random from the set of allowed 32-bit values. The unpredictability of the masking key is essential to prevent the author of malicious applications from selecting the bytes that appear on the wire."
>
> Could we use a term other than "fresh" and also clarify what "uniformly at random" means? This is a "MUST" section so it should be absolutely clear and proper in its wording. As it has now it seems to possibly be a bit vulnerable to being read in "uniformly at random" ways and open to a "fresh" interpretation by each implementor :)
>
> With best regards,
> Arman
>
>> -----Original Message-----
>> From: hybi-bounces@ietf.org [mailto:hybi-bounces@ietf.org] On Behalf Of
>> Peter Saint-Andre
>> Sent: Friday, June 17, 2011 2:49 AM
>> To: hybi@ietf.org
>> Subject: [hybi] -09: sending, closing, errors, extensions
>>
>> More comments...
>>
>> Section 6.1 states:
>>
>>    5.  If the data is being sent by the client, the frame(s) MUST be
>>        masked as defined in Section 4.3.
>>
>> Section 6.2 states:
>>
>>    Data frames received by a server from a client MUST be unmasked as
>>    described in Section 4.3.
>>
>> The word "unmasked" makes it sound like this contradicts the text in Section
>> 6.1 -- as in, "must not be masked" as opposed to "the server shall remove
>> the masking applied by the client".
>>
>> In Section 7, the text about the close /reason/ makes it sound as if an
>> application might choose to show UTF-8 encoded data to an end user. That
>> might lead the reader to think that language tagging might be necessary.
>> Is it?
>>
>> In Section 8.2, there is no deterministic server behavior upon receiving data
>> that is not valid UTF-8. Why? What use cases would motivate accepting such
>> data instead of just closing the connection?
>>
>> Section 9.1 says:
>>
>>    Any extension-token used MUST either be a registered token
>>    (registration TBD), or have a prefix of "x-" to indicate a private-
>>    use token.
>>
>> It's probably not a good idea to have "registration TBD" in a document that is
>> going for IETF Last Call. :) Presumably a forward pointer to Section 11.6 would
>> suffice.
>>
>> Do we really want to encourage use of "x-"? See here for relevant
>> considerations (I plan to submit an updated version soon):
>>
>> http://tools.ietf.org/id/draft-saintandre-xdash-considered-harmful-01.txt
>>
>> Peter
>>
>> --
>> Peter Saint-Andre
>> https://stpeter.im/
>>
>>
>
>
> _______________________________________________
> hybi mailing list
> hybi@ietf.org
> https://www.ietf.org/mailman/listinfo/hybi
>

v2.23.0 | Report a Bug | By Email