[TLS] RNG vs. PRNG

Michael D'Errico <mike-list@pobox.com> Tue, 27 April 2010 00:54 UTC

Return-Path: <mike-list@pobox.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 229DE3A686E for <tls@core3.amsl.com>; Mon, 26 Apr 2010 17:54:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.949
X-Spam-Level:
X-Spam-Status: No, score=-1.949 tagged_above=-999 required=5 tests=[AWL=0.650, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cpvbf4N7ELfq for <tls@core3.amsl.com>; Mon, 26 Apr 2010 17:54:05 -0700 (PDT)
Received: from sasl.smtp.pobox.com (a-pb-sasl-quonix.pobox.com [208.72.237.25]) by core3.amsl.com (Postfix) with ESMTP id DCEEF3A69FD for <tls@ietf.org>; Mon, 26 Apr 2010 17:54:02 -0700 (PDT)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 272BEAEAE1 for <tls@ietf.org>; Mon, 26 Apr 2010 20:53:50 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=0Tz2lCZu3Sat HWEIUgl12qAjyFQ=; b=sIBi+ziwGja+9xJt4PNLHushQJfE2qVqtzgjYTemgf+j lZxvlzEf0upm1nk9kwsgXi+BexogjQukkh6ODwPtGN2wv1xkYyH5MhJQuNOkUa0e DeZQxrU3iU+wwvmH/Zo34MlOFboGSG9muk5jTs0hD3JESoLxwfJYjLYLJbdSQ1E=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=O3m5nF SxOzKQAKX/Y0UBnx34C+tmEtng5g7HfQiqgWfPOEjFl0avAmoAhnyurta/GA0IfP T0dnOPW3nS20vY/e/29tDSIyn4LNAAK02iafZzhLAZBDmcDwUTcMYw5B/suwd2Sc tFRlbqE/9us7zPa1aCMwkw9qxHI0bkOa3wb+g=
Received: from a-pb-sasl-quonix. (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 24863AEAE0 for <tls@ietf.org>; Mon, 26 Apr 2010 20:53:50 -0400 (EDT)
Received: from administrators-macbook-pro.local (unknown [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTPSA id D1FD1AEADF for <tls@ietf.org>; Mon, 26 Apr 2010 20:53:49 -0400 (EDT)
Message-ID: <4BD6359C.7070008@pobox.com>
Date: Mon, 26 Apr 2010 17:53:48 -0700
From: Michael D'Errico <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: tls@ietf.org
References: <Pine.LNX.4.44.1004261355330.14419-100000@citation2.av8.net> <4BD5E3BD.2030605@extendedsubset.com> <4BD5EDB5.50409@pobox.com> <4BD60329.3030403@extendedsubset.com>
In-Reply-To: <4BD60329.3030403@extendedsubset.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: 57E85E2E-5197-11DF-8C11-D033EE7EF46B-38729857!a-pb-sasl-quonix.pobox.com
Subject: [TLS] RNG vs. PRNG
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Apr 2010 00:54:06 -0000

Here are all the places within my code that generate random
values and whether they are purely random or pseudo-random
(via a CPRNG):

     RNG    generate RSA premaster secrets
     RNG    generate encryption key and HMAC secret used
            for session ticket protection

     CPRNG  generate (part of) session IDs
     CPRNG  generate initialization vectors

     CPRNG  generate hello random values
     CPRNG  generate random premaster secret in server (as
            part of defense against Bleichenbacher attack
            and version rollback detection)

These last two are debatable.  Marsh would have the hello
randoms be purely random, not just unpredictable, and the
OpenSSL implementation uses a CPRNG for the last one, but
has a note that it /should/ use an RNG.

IANAC, but wonder why the hello randoms would need to be purely
random, versus just unpredictable, since they go over the wire
in the clear?

Also, does anyone know why the random premaster secret should
be generated with a real RNG versus a CPRNG?

Thanks,

Mike