Re: [TLS] New drafts: adding input to the TLS master secret

Bill Frantz <> Thu, 11 February 2010 07:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4BACA3A73C7 for <>; Wed, 10 Feb 2010 23:01:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.67
X-Spam-Status: No, score=-1.67 tagged_above=-999 required=5 tests=[AWL=-0.930, BAYES_20=-0.74]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id e-ohhlHFAkzf for <>; Wed, 10 Feb 2010 23:01:32 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 3F0963A681D for <>; Wed, 10 Feb 2010 23:01:32 -0800 (PST)
Received: from [] (helo=[]) by with esmtpa (Exim 4.67) (envelope-from <>) id 1NfT4X-00019e-6C for; Thu, 11 Feb 2010 02:02:45 -0500
Date: Wed, 10 Feb 2010 23:05:42 -0800
From: Bill Frantz <>
X-Priority: 3
In-Reply-To: <>
Message-ID: <r02010500-1049-DE8DC94116DB11DF826D0030658F0F64@[]>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Mailer: Mailsmith 2.1.5 (Blindsider)
X-ELNK-Trace: 3a5e54fa03f1b3e21aa676d7e74259b7b3291a7d08dfec79c9783a120bec1b88b8790c1f7a781cb5350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
Subject: Re: [TLS] New drafts: adding input to the TLS master secret
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 11 Feb 2010 07:01:33 -0000 (Marsh Ray) on Wednesday, February 10, 2010 wrote:

>I'm a fan of continual seeding as entropy becomes available.

However, be aware of "State Compromise Extension Attacks"*. If you dribble
in new entropy a few bits at a time to a compromised PRNG, and also expose
outputs of the PRNG, an attacker can try all possible values for the new
entropy and compare them with the known output continuing the compromise of
the PRNG. If instead, you save the new entropy until a large number of
unguessable bits are available, you foil this attack.

I belong to the school that says, "Give me enough unguessable bits (e.g
256), and a way to keep them secret, I can be secure to the heat death of
the universe." I like continually reseeding in large blocks because these
two requirements may not be possible.

Cheers - Bill

* John Kelsey, Bruce Schneier, David Wagner, Chris Hall: “Cryptanalytic
Attacks on Pseudorandom Number Generators”

Bill Frantz        | gets() remains as a monument | Periwinkle
(408)356-8506      | to C's continuing support of | 16345 Englewood Ave | buffer overruns.             | Los Gatos, CA 95032