Re: [TLS] 32 byte randoms in TLS1.3 hello's
Watson Ladd <watsonbladd@gmail.com> Mon, 24 July 2017 15:29 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0946A131E17 for <tls@ietfa.amsl.com>; Mon, 24 Jul 2017 08:29:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GIp0pMfi_afP for <tls@ietfa.amsl.com>; Mon, 24 Jul 2017 08:29:41 -0700 (PDT)
Received: from mail-pg0-x232.google.com (mail-pg0-x232.google.com [IPv6:2607:f8b0:400e:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4C8C129A9F for <tls@ietf.org>; Mon, 24 Jul 2017 08:29:41 -0700 (PDT)
Received: by mail-pg0-x232.google.com with SMTP id y129so58529105pgy.4 for <tls@ietf.org>; Mon, 24 Jul 2017 08:29:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=8R63vQQ8AhkHfgifU/eNAqNBEeSNI0pQUblMXycbNUI=; b=mwmosdYWnFfwRDem/4PK83jrDI/ebXT0XYaxXjTnxi71MFAmp05PBDqfJVyJOv4IQS kINgHlXbTvBPVfcVXXe+ZfEIwvbxnZoA24EVLAiadZZIsHwiakAcTmCCfu8m7Z+/ZjVE aqaXISZHPNSZKNtrWrjGrIYjS4N9t1vT7oJpORmkP83aNt3+cHAT1KJzKKQRTZ0U178Q dFAiKBH0HFXOEvAkwD0YQ2CHKlbg2iP55UDARE8rm0twQFi5jZpIefFm7m2/IHoXsJN9 oC5LIYBRdg5SQtG0jBARkxgiAzWKjNHoiIAm/W2BfMhOHAnNaSCyqDGeSDQ97e78nAaS QVGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=8R63vQQ8AhkHfgifU/eNAqNBEeSNI0pQUblMXycbNUI=; b=Y2wYn1ZsNLCsAS45ffjGsE2uY0SS5+0UDLME31kEG9ojWZHhdRGvjVjE2FRinc1BRm ZZebjrzMMkuykuceLOOWcM3Z2bUlKLHaglZGnc+vq9Fc20WBfQ1fS6OXr8c6dj/DPk8F tqV/psULF7BShekIdbGpEhVOA71JHF4TEOcf1kTCsUSCThOnPiIF4gxxfQlPvzcshFf3 Jvd75/cf10Z3ug2vJDnW38AQfpsZDcJ3dwAHqG1b7tpvMLTNBvu4sPhqFni/XAH7J6cH QWTaDf4OfGaUWq60rlCaM8NZDaT5oBM9yR/pgmm2E2tCRkQayemw/POiSVTwTI6cQIsz I4rg==
X-Gm-Message-State: AIVw111lPloj9HDO/qoaSBIs+QopX8t99dLis6yA6zEEykpLAsMh1Aa3 sJHmWEftApQ7fisZn7mNM5kJmYOp8g==
X-Received: by 10.99.114.73 with SMTP id c9mr16473470pgn.267.1500910181351; Mon, 24 Jul 2017 08:29:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.187.77 with HTTP; Mon, 24 Jul 2017 08:29:40 -0700 (PDT)
Received: by 10.100.187.77 with HTTP; Mon, 24 Jul 2017 08:29:40 -0700 (PDT)
In-Reply-To: <CACsn0c=r5X9DEMGXfmQEUdhHqG+J0e9YiRveyGT882xuRVko0A@mail.gmail.com>
References: <67679ecc-1043-a70a-6d57-8807f78e1afa@cs.tcd.ie> <CACsn0ckFz3NT9HratRJvEfypjDZmzE0W9+vRTHkLisLZrQj6MA@mail.gmail.com> <CACsn0c=wS4j8kuXUBvp4WZt8T69Gk3TdSW+kVKctUrYOD=ep-Q@mail.gmail.com> <CACsn0c=r5X9DEMGXfmQEUdhHqG+J0e9YiRveyGT882xuRVko0A@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Mon, 24 Jul 2017 08:29:40 -0700
Message-ID: <CACsn0cnUZk0xsuxiToMF4EY51Ys4ss4JN1Nw2WL6Cr22K3gHfg@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: tls@ietf.org
Content-Type: multipart/alternative; boundary="f403045c70363309a1055511e2c6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/0L7fVe9n1w3ATZqzdn8Kuj5MsdQ>
Subject: Re: [TLS] 32 byte randoms in TLS1.3 hello's
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jul 2017 15:29:44 -0000
On Jul 24, 2017 8:15 AM, "Stephen Farrell" <stephen.farrell@cs.tcd.ie> wrote: Hiya, I'm guessing many folks interested in TLS may have been at the QUIC session in Prague and hence missed out on the excellent talk by Stephen Checkoway on the juniper dual-ec incident. (I highly recommend taking a peek at the slides [1] or reading the paper [2] or watching the video wherever that may be;-). Anyway, in TLS1.3 we've gotten rid of the gmt time option in the client and server hello, which is good, (and I do recall that discussion) but we've also changed from: // RFC5246 struct { uint32 gmt_unix_time; opaque random_bytes[28]; } Random; to: // tls1.3 -21 opaque Random[32]; Now if some TLS1.3 deployment were affected by a dual-ec attack, it'd seem like the -21 version of Random might be even better than the TLS1.2 version, for the attacker. I tried to see where that 28->32 change came from but didn't find it (apologies if I missed that). I guess it just ensures that the overall length of the struct is the same. So, a question and a possible suggestion: Q: Why do we need 32 bytes of Random? Suggestion: if we don't need that much, maybe we could change the length there, (I can see that might trigger bugs and middlebox issues) or encourage/require folks to mask out some of those bits (e.g. with zeros or some catchy hex encoded message about dual-ec:-). Anti-kleptography is not a matter of avoiding known attacks one at a time. The fact is that someone could add backdoor login credentials or a buffer overflow if they can also force dual- EC to be used. Don't use bad prngs. And don't buy products from vendors who ship back doors and refuse to come completely clean when confronted. Cheers, S. [1] https://www.ietf.org/proceedings/99/slides/slides-99-irtfopen-anrp-stephen- checkoway-a-systematic-analysis-of-the-juniper-dual-ec-incident-00.pdf [2] https://web.eecs.utk.edu/~mschucha/netsec/readings/p468-checkoway.pdf _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Watson Ladd
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Ilari Liusvaara
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Russ Housley
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Peter Gutmann
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Joseph Lorenzo Hall
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Christian Huitema
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Peter Gutmann
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Christian Huitema
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Watson Ladd
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Peter Gutmann
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Martin Rex
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Jeffrey Walton
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Martin Rex
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Martin Rex
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Watson Ladd
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Eric Rescorla
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Eric Rescorla
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Ilari Liusvaara
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Salz, Rich
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Ilari Liusvaara
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell