IETF Logo Mail Archive

Re: [TLS] 32 byte randoms in TLS1.3 hello's

Dan Brown <danibrown@blackberry.com> Sat, 29 July 2017 20:30 UTC

Return-Path: <danibrown@blackberry.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9136131D13 for <tls@ietfa.amsl.com>; Sat, 29 Jul 2017 13:30:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.7
X-Spam-Level:
X-Spam-Status: No, score=-0.7 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CGTVfYBiPjg7 for <tls@ietfa.amsl.com>; Sat, 29 Jul 2017 13:30:38 -0700 (PDT)
Received: from smtp-p02.blackberry.com (smtp-p02.blackberry.com [208.65.78.89]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96BBE131E7A for <tls@ietf.org>; Sat, 29 Jul 2017 13:30:37 -0700 (PDT)
Received: from xct106cnc.rim.net ([10.65.161.206]) by mhs215cnc.rim.net with ESMTP/TLS/DHE-RSA-AES256-SHA; 29 Jul 2017 16:30:35 -0400
Received: from XCT116CNC.rim.net (10.65.161.216) by XCT106CNC.rim.net (10.65.161.206) with Microsoft SMTP Server (TLS) id 14.3.319.2; Sat, 29 Jul 2017 16:30:34 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT116CNC.rim.net ([::1]) with mapi id 14.03.0319.002; Sat, 29 Jul 2017 16:30:33 -0400
From: Dan Brown <danibrown@blackberry.com>
To: Colm MacCárthaigh <colm@allcosts.net>
CC: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Eric Rescorla <ekr@rtfm.com>, "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] 32 byte randoms in TLS1.3 hello's
Thread-Index: AQHTBI+yUHLG+hMivEObnVpzx6wh/KJjeS0AgAC0BYCAAI15AIAAcHiAgABSRwCAABeRgIAAta2AgAATyICAAC25AIAAMDwAgAANUQCAABPSAIAABQGAgAAkyoCAAYN2AP//zaLlgABFtACAAAITAIAAleMAgAADerCAAHJeAIABUPW7gABnW4D//+Wy+Q==
Date: Sat, 29 Jul 2017 20:30:33 +0000
Message-ID: <20170729203031.8573013.59357.16296@blackberry.com>
References: <CAAF6GDcSb3jqirTRW7_Udr4u6QJtFpmFug02pMuX-CjEiyNPfg@mail.gmail.com> <20170726205732.784F41A6CB@ld9781.wdf.sap.corp> <CAAF6GDcQCCeq1JosMTpQrh7MZLG1iN-xcOfsXC0LvSZRx+oQjQ@mail.gmail.com> <046ad800-351b-3a79-3f56-7883f5d9ceea@cs.tcd.ie> <CABcZeBMyY0f9D9VEmkKNkLB2OY3TRG7UO-B48xOrA3JSP5xRkw@mail.gmail.com> <20170727233335.8573013.91860.16216@blackberry.com> <2DB2CA47-5121-4B3E-BE0E-116A76F4870E@ll.mit.edu> <CABcZeBNF3WjY6AKoDY4drB+XjMS9LLZ5DmhR=DFX+-0YtKO71g@mail.gmail.com> <726e6666-8af4-384a-95f7-45cb68a331f7@cs.tcd.ie> <810C31990B57ED40B2062BA10D43FBF501B745D8@XMB116CNC.rim.net> <0698b5f7-3dd7-ee4f-5464-6a7e98a20240@cs.tcd.ie> <20170729155445.8573013.35196.16289@blackberry.com>, <CAAF6GDfwozYHhvarFcxqQj4z+X-6n_43RYvOY6awekixGQTDfA@mail.gmail.com>
In-Reply-To: <CAAF6GDfwozYHhvarFcxqQj4z+X-6n_43RYvOY6awekixGQTDfA@mail.gmail.com>
Accept-Language: en-US, en-CA
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_2017072920303185730135935716296blackberrycom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/0zMM4G2hZHGuuQjXbOu0-SwTxj8>
Subject: Re: [TLS] 32 byte randoms in TLS1.3 hello's
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Jul 2017 20:30:41 -0000

‎Section 3, of the eprint "Ron is wrong, Whit is right", subsection "Moduli with shared primes", suggests to me that it's not unlikely when seeding two secrets near in time, one has low entropy (by accident). That's not the only explanation of the observed shared primes, but is plausible and relevant to the question at hand. (I thought I mentioned this earlier.)
From: Colm MacCárthaigh
Sent: Saturday, July 29, 2017 2:04 PM
To: Dan Brown
Cc: Stephen Farrell; Eric Rescorla; Blumenthal, Uri - 0553 - MITLL; tls@ietf.org
Subject: Re: [TLS] 32 byte randoms in TLS1.3 hello's




I don't see anything relevant to the problem at hand in that paper. Did you reference the right one? There are some mentions about not re-using random secrets, but that applies no matter how many RNGs you use.

In your previous mail, even if an implementer were to seed two RNGs from one CSPRNG, and all 3 are bad generator, this is still strictly better than one broken generator; because the amount of work an attacker must do is far greater.

On Sat, Jul 29, 2017 at 8:54 AM, Dan Brown <danibrown@blackberry.com<mailto:danibrown@blackberry.com>> wrote:
https://eprint.iacr.org/2012/064
mentions the problem of generating multiple secrets instead of a single secret




  Original Message
From: Stephen Farrell
Sent: Friday, July 28, 2017 11:48 AM
To: Dan Brown; Eric Rescorla; Blumenthal, Uri - 0553 - MITLL
Cc: tls@ietf.org<mailto:tls@ietf.org>
Subject: Re: [TLS] 32 byte randoms in TLS1.3 hello's


I don't think this is simply a case of multiple CSPRNGs.

My guess is many TLS implementations don't have visibility
into how the CSPRNG operates. That code does however, know
which output values will be public and which not. For me,
that implies that any good separation scheme applied within
the TLS code that differentiates between public and non
public outputs is a good plan. Yes, if an attacker can bork
your CSPRNG, they may be able to get at the TLS code too
sometimes, but I'd argue the defence in depth is worthwhile.

Cheers,
S.

On 28/07/17 14:37, Dan Brown wrote:
> I try below to better explain my points against separated public and private CSPRNG instances.
>
> Perhaps the easiest way to get "independent" seeds for the two instances of a CSPRNG, is to use a third CSPRNG instance to generate the seeds.  But then the problem arises again, if the 3 CSPRNGs are bad enough, (0=seeder, 1=public, 2=private), there is a risk that:
>
> Public_nonce=output1=>seed1=output0_for_1=>seed0=>output0_for_2=seed2=>output_2=private_key=TLS_insecurity.
>
> In short, generally speaking, three bad CSPRNGs do not combine easily into 1 good CSPRNG.
>
> (I'm not yet sure if this attack on three CSPRNGs combined applies to Dual_EC, since it may do something hash-like to the seed (I forgot details), and also output leaks the next state, not the previous state, as I recall, so that might break the chain above.)
>
> The alternative to a 3rd CSPRNG is to get the seeds from directly from a raw entropy source. In that case, keep in mind that one of the purposes of CSPRNGs is that raw entropy sources are unreliable (sometimes stall, etc. [references to be added]) and generally weak on the independence (they are non-uniform, hence have correlations).  CSPRNGs are supposed to correct these deficiencies, among other things.  So, if the 2 seeds are generated directly from a raw entropy sources (without a CSPRNG), two things may go wrong. First, deriving one seed from the other might be feasible because of non-uniformity. A bad CSPRNG might enable this this to be exploited, by finding one seed from the other.  Second, if the entropy source stalls (down a trickle of low entropy), between too close seed requests - accidentally - then even a good CSPRNG couldn't cope.
>
> Maybe, all this wouldn't be a problem on many higher end systems, with high entropy, so my concern is lower end systems, and also unnecessary complications of maintaining multiple bad CSPRNGs, potentially to no avail.
>
> Finally, on systems with a linux-style interface, /dev/urandom and /dev/random could be used as the two CSPRNGs on some systems (or seed sources), although I think one of these is now deprecated?
>
> -----Original Message-----
> From: TLS [mailto:tls-bounces@ietf.org<mailto:tls-bounces@ietf.org>] On Behalf Of Stephen Farrell
> Sent: Friday, July 28, 2017 4:47 AM
> To: Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>>; Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu<mailto:uri@ll.mit.edu>>
> Cc: tls@ietf.org<mailto:tls@ietf.org>
> Subject: Re: [TLS] 32 byte randoms in TLS1.3 hello's
>
>
> Hiya,
>
> On 28/07/17 00:50, Eric Rescorla wrote:
>> I used the term "separate" here, which was intended to convey this,
>> but if people think "independent" or something is better, happy to change.
>
> I think your change is a fine improvement over -21, thanks.
> (And my suggested text was as imperfect as I usually manage:-)
>
> I'm not clear if implementers will or will not get the ramifications of "separate" (or "independent"), so I think we ought describe (or reference) at least one way in which that separation can be achieved.
>
> I also think we ought at least RECOMMEND separate CSPRNGs.
> I'd prefer a MUST myself but since there's no one good way we can describe to achieve the effect that'd work in all cases, I don't think we can say MUST.
>
> Cheers,
> S.
>
>
>>
>> -Ekr
>>
>>
>> On Thu, Jul 27, 2017 at 4:43 PM, Blumenthal, Uri - 0553 - MITLL <
>> uri@ll.mit.edu<mailto:uri@ll.mit.edu>> wrote:
>>
>>> Respectfully disagree. Having two cryptographically independent
>>> PRNGs, one for public data and one for key material, IMHO is a good
>>> idea. Of course, both should be properly seeded - but that's a different issue.
>>>
>>> Regards,
>>> Uri
>>>
>>> Sent from my iPhone
>>>
>>> On Jul 27, 2017, at 19:33, Dan Brown <danibrown@blackberry.com<mailto:danibrown@blackberry.com>> wrote:
>>>
>>>
>>> I don't think 2 CSPRNGs is a good idea.
>>>
>>> Wasn’t there a few years back some RSA keys with separate p and q,
>>> generated independently leading to an attack...
>>>
>>> Here if the seeds to initialize the RNGS are related, or one is weak,
>>> or worst if the seed is a raw source that doesn’t change in the
>>> moments between the two CSPRNG inits, that'd be bad, even if the CSPRNGs were good.
>>> *From: *Eric Rescorla
>>> *Sent: *Thursday, July 27, 2017 6:34 PM
>>> *To: *Stephen Farrell
>>> *Cc: *tls@ietf.org<mailto:tls@ietf.org>
>>> *Subject: *Re: [TLS] 32 byte randoms in TLS1.3 hello's
>>>
>>> Spec updated here;
>>> https://github.com/tlswg/tls13-spec/commit/465de0e189b2b59090d0eac0ac
>>> bc42
>>> 942af9ca77
>>>
>>> -Ekr
>>>
>>>
>>> On Wed, Jul 26, 2017 at 4:27 PM, Stephen Farrell <
>>> stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>> wrote:
>>>
>>>>
>>>> I've suggested some text for this in a PR [1] based on what people
>>>> have said in this thread.
>>>>
>>>> I'm sure that can be further improved.
>>>>
>>>> It might be no harm to add more pointers to that appendix from
>>>> elsewhere in the spec, and/or to add a list of the various
>>>> public/private random numbers that are needed to that appendix. (I'd
>>>> be happy to do a pass to identify those if folks basically like this
>>>> kind of addition.)
>>>>
>>>> I also need to figure out how to handle the reference properly:-)
>>>> Can do that tomorrow.
>>>>
>>>> Cheers,
>>>> S.
>>>>
>>>> [1] https://github.com/tlswg/tls13-spec/pull/1068
>>>>
>>>>
>>>> _______________________________________________
>>>> TLS mailing list
>>>> TLS@ietf.org<mailto:TLS@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/tls
>>>>
>>>>
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org<mailto:TLS@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/tls
>>>
>>>
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org<mailto:TLS@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/tls
>>>
>>>
>>
>>
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org<mailto:TLS@ietf.org>
>> https://www.ietf.org/mailman/listinfo/tls
>>
>
>

_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls



--
Colm

v2.23.0 | Report a Bug | By Email