Re: [TLS] 32 byte randoms in TLS1.3 hello's
mrex@sap.com (Martin Rex) Wed, 26 July 2017 20:57 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09182131CE5 for <tls@ietfa.amsl.com>; Wed, 26 Jul 2017 13:57:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.421
X-Spam-Level:
X-Spam-Status: No, score=-6.421 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l6z9_80PhIod for <tls@ietfa.amsl.com>; Wed, 26 Jul 2017 13:57:34 -0700 (PDT)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55FEB129A9F for <tls@ietf.org>; Wed, 26 Jul 2017 13:57:34 -0700 (PDT)
Received: from mail07.wdf.sap.corp (mail04.sap.corp [194.39.131.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id 3xHnVh4mMzz25Rd; Wed, 26 Jul 2017 22:57:32 +0200 (CEST)
X-purgate-ID: 152705::1501102652-00000805-5C18835A/0/0
X-purgate-size: 1266
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail07.wdf.sap.corp (Postfix) with ESMTP id 3xHnVh3qQqzGp3B; Wed, 26 Jul 2017 22:57:32 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 784F41A6CB; Wed, 26 Jul 2017 22:57:32 +0200 (CEST)
In-Reply-To: <CAAF6GDcSb3jqirTRW7_Udr4u6QJtFpmFug02pMuX-CjEiyNPfg@mail.gmail.com>
To: Colm MacCárthaigh <colm@allcosts.net>
Date: Wed, 26 Jul 2017 22:57:32 +0200
CC: mrex@sap.com, Peter Gutmann <pgut001@cs.auckland.ac.nz>, "tls@ietf.org" <tls@ietf.org>
Reply-To: mrex@sap.com
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="ISO-8859-1"
Message-Id: <20170726205732.784F41A6CB@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/3YIw-R_KTpprW76bvLEYomsM9SQ>
Subject: Re: [TLS] 32 byte randoms in TLS1.3 hello's
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jul 2017 20:57:36 -0000
Colm MacCárthaigh wrote: > Martin Rex <mrex@sap.com> wrote: >> >> With RDRAND, you would use e.g. SHA-256 to compress 10*256 = 2560 Bits of >> a black-box CPRNG output into a 256-bit _new_ output that you >> actually use in communication protocols. > > If the relation between the RDRAND input and the output of your function is > fixed, then your attacker than just do the same thing. It doesn't help at > all really. You have to mix RDRAND with something else that is unknowable > to the attacker as part of the process. Through the 10x compression of the RDRAND output, which will provably create an incredibly huge amount of collisions, the attacker will be unable to identify any particular output values of RDRAND. Your conceived attack could only work under the condition that 10 RDRAND consecutive outputs are always fully deterministic, and that also the seed used by RDRAND will be fully deterministic to the attacker -- or can otherwise be learned out-of-band by the attacker -- while at the same time this property will remain invisible to all external randomness tests. Can you shed any light on how you believe and attacker could meet such preconditions, because I'm not seeing the problem yet. -Martin
- [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Watson Ladd
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Ilari Liusvaara
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Russ Housley
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Peter Gutmann
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Joseph Lorenzo Hall
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Christian Huitema
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Peter Gutmann
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Christian Huitema
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Watson Ladd
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Peter Gutmann
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Martin Rex
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Jeffrey Walton
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Martin Rex
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Martin Rex
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Watson Ladd
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Eric Rescorla
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Eric Rescorla
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Ilari Liusvaara
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Salz, Rich
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Ilari Liusvaara
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell