Re: [TLS] 32 byte randoms in TLS1.3 hello's
Colm MacCárthaigh <colm@allcosts.net> Wed, 26 July 2017 16:06 UTC
Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93B18132084 for <tls@ietfa.amsl.com>; Wed, 26 Jul 2017 09:06:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eibrVN0Vrx3I for <tls@ietfa.amsl.com>; Wed, 26 Jul 2017 09:06:20 -0700 (PDT)
Received: from mail-yw0-x233.google.com (mail-yw0-x233.google.com [IPv6:2607:f8b0:4002:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0651D131CEE for <tls@ietf.org>; Wed, 26 Jul 2017 09:06:20 -0700 (PDT)
Received: by mail-yw0-x233.google.com with SMTP id i6so56674667ywb.1 for <tls@ietf.org>; Wed, 26 Jul 2017 09:06:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=f8A14+BXwYI+OhmzdF0BsNjpfjqkWYD7JAMUIjkBFeU=; b=w8C1fkc7qvK3qJwTcIArJjnvwmVAPR948FD1j3MwdZN9UNy+ZAckydX7/dpO4aVHrU o6YlV+6jUz1VGAz+6aWOqT2r72Jmi2O9bCxO0AybST8KaHlaDsEveh/F6t8S38ekTB7I sMICkc1G0pboyLsblXXMleGh70uHF33mLlv1bIgLISwPoC1KUjawGz3Y2fy/W1dU6wGi uxGbKWWHHgpiPlpisCoPQ5Zq5Xfrj19y30aLDcGisStCLhUrEtR2WVwWSUaS3GlpXkLH s3grzsDohXeFUnz8ggLWtL62jaTx4l76vVZy7kz5whdwUr8cPTtJqibPV85SLrt2/PWz DqaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=f8A14+BXwYI+OhmzdF0BsNjpfjqkWYD7JAMUIjkBFeU=; b=i3mrf1abKRmUDnYijx+qaMxAoE6X/5lIvxnkh1wE/onp6e3XVW9WWEGlatEUFmB7Gs 1gHMs/PyiQyZGfSl5CX1K4i0GZeiinRcJGB8rwWAqbKdjVXOkqWQTUtUsR2YN1eKujWJ 5BORVbqr+kJVC75q9zl4+9atykxFBmTDbhXlyuquW1c/r8//tvso6tAZqoiAIThT6gmu GcDyRM6LeWb4STw8JG1lJYKHGR7tPzgLrNxO6qmLvLo/f6ivUoXrGLHtgfWxPTCbc+kx xIEZ7JPMklLKWNaLbbgyYhCkrVyJfs4oCRkll7bZm2ZBnegn1XiZhxyWPYhdHcvPThap 6heQ==
X-Gm-Message-State: AIVw113DrdYv3ApKxGWBvR32xMHkY/hClFVYmo10Az98Q1EWP/VBwmpi UfhRyG5v+DowW5wcLHZDQBAnPWm/9TG3
X-Received: by 10.37.171.79 with SMTP id u73mr1225053ybi.329.1501085178956; Wed, 26 Jul 2017 09:06:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.154.71 with HTTP; Wed, 26 Jul 2017 09:06:18 -0700 (PDT)
In-Reply-To: <20170726132239.53A981A6CB@ld9781.wdf.sap.corp>
References: <1501071106566.29442@cs.auckland.ac.nz> <20170726132239.53A981A6CB@ld9781.wdf.sap.corp>
From: Colm MacCárthaigh <colm@allcosts.net>
Date: Wed, 26 Jul 2017 09:06:18 -0700
Message-ID: <CAAF6GDfe7rXRwSnuiMgftBGUnToDbzEJqedkZwcvPiJodd=2aA@mail.gmail.com>
To: mrex@sap.com
Cc: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c188c62def25205553aa021"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/7FDrPDJw3qZhCZZMFPepJ_0tGvg>
Subject: Re: [TLS] 32 byte randoms in TLS1.3 hello's
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jul 2017 16:06:21 -0000
On Wed, Jul 26, 2017 at 6:22 AM, Martin Rex <mrex@sap.com> wrote: > Since you also have no idea whether and how the internal hardware design > behind Intel RDRAND is backdoored, you should not be using any of its > output without an at least 10x cryptographic compression in any case. > Obviously your CPU can fully compromise you locally, so that's not very interesting to think about. But for remote attacks, like the one you describe here, where an adversary may use predictable PRNG output, it is probably better to mix RDRAND output with something else. There are a few layers of defense here, such as multi-source NRBGs, or personalization strings. Those significantly distance the output from the RDRAND. The kind of compression you mention here can be easily precomputed and tables generated by someone with a large amount of resources, since it's a pure function. In BoringSSL, and s2n, we mix RDRAND in as part of the reseeding. But the initial seed came from urandom (which is not pure RDRAND). In s2n, we also use personalization strings to provide another degree of defense. -- Colm
- [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Watson Ladd
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Ilari Liusvaara
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Russ Housley
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Peter Gutmann
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Joseph Lorenzo Hall
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Christian Huitema
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Peter Gutmann
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Christian Huitema
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Watson Ladd
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Peter Gutmann
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Martin Rex
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Jeffrey Walton
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Martin Rex
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Martin Rex
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Watson Ladd
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Eric Rescorla
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Eric Rescorla
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Ilari Liusvaara
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Salz, Rich
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Ilari Liusvaara
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell