Re: [TLS] 32 byte randoms in TLS1.3 hello's
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 25 July 2017 12:20 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0F7B131C89 for <tls@ietfa.amsl.com>; Tue, 25 Jul 2017 05:20:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WVidMD1s5zJe for <tls@ietfa.amsl.com>; Tue, 25 Jul 2017 05:20:18 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E00BB131C37 for <tls@ietf.org>; Tue, 25 Jul 2017 05:20:17 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 4C415BE2C; Tue, 25 Jul 2017 13:20:15 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GWF5PIr4IhpF; Tue, 25 Jul 2017 13:20:15 +0100 (IST)
Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 15963BDF9; Tue, 25 Jul 2017 13:20:15 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1500985215; bh=O43tG69/3RJ+oohx7sp8ypH6T+9FA6YBEQYuqCWbuo4=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=EQsjS7lVvhsSaT3/PzIfFArbRRep0l5Z5RVvAxcLfZQi8eUwXrDrOTrx/UiAXJUj7 T8wqiohNugG3rQIudIduXl+xZhocIPQrkvwS8tJ+BB885E9jtLd7gIS/e+1IQfKu9T F1PRzR/yfd47uyAjTIDJpR/G7xXZcc72zMSaDi7c=
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, Colm MacCárthaigh <colm@allcosts.net>
Cc: "tls@ietf.org" <tls@ietf.org>
References: <67679ecc-1043-a70a-6d57-8807f78e1afa@cs.tcd.ie> <CAAF6GDejyu7+ApbG-drMOSW3M=nc1MJJeA45O40RDbEedk15kA@mail.gmail.com> <1500954833319.1033@cs.auckland.ac.nz>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <f328d15e-6eed-e257-5cc3-51e9af2f4bfe@cs.tcd.ie>
Date: Tue, 25 Jul 2017 13:20:14 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <1500954833319.1033@cs.auckland.ac.nz>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="iXTGXpNuaHdA5kuTJ0QIFWv1nQTA3rSQQ"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/8JXIYlG9zi_UMuNajczTPKiPYWU>
Subject: Re: [TLS] 32 byte randoms in TLS1.3 hello's
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jul 2017 12:20:21 -0000
On 25/07/17 04:53, Peter Gutmann wrote: > Colm MacCárthaigh <colm@allcosts.net> writes: > >> I think the fix for this is really at the application level; if you >> want defense-in-depth against PRNG problems, it's probably best to use >> separate RNG instances for public data (e.g. client_random, >> server_random, explicit_IV) and for secret data (keys) so that a leak >> in the public data doesn't compromise the private one. We do this in >> s2n, and I think BouncyCastle does it too. > > I do that too. It's also specified in the LTS draft, it's just common > sense really. I guess you mean this: " TLS-LTS drops the requirement to generate the Client.random and Server.random using "a secure random number generator", typically the one used to generate encryption keys. The use of a secure/ cryptographic random number generator serves no obvious purpose (all that's required is a unique value), but exposes 224 bits of the cryptographic RNG output to an attacker, allowing them to analyse and potentially attack the RNG, and by extension any crypto keys that it generates: o Implementations SHOULD NOT use the raw output from a cryptographic/secure RNG that's used to generate keying material to generate the Client.random and Server.random values. Instead, they SHOULD employ a mechanism that doesn't directly expose cryptographic RNG output to attackers, for example by using the crypto RNG to seed a hash-based PRF such as the TLS PRF and using the output of that for the values. " I think something along these lines would be good advice to add to appendix C.1 or to 4.1.2 where Random is defined. That said, I'd still argue for an approach that a peer could see was in use when "public" random byes aren't really needed but fair enough if that doesn't resonate with people. Cheers, S. > > Peter. >
- [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Watson Ladd
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Ilari Liusvaara
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Russ Housley
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Peter Gutmann
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Joseph Lorenzo Hall
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Christian Huitema
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Peter Gutmann
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Christian Huitema
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Watson Ladd
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Peter Gutmann
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Martin Rex
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Jeffrey Walton
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Martin Rex
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Martin Rex
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Watson Ladd
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Eric Rescorla
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Eric Rescorla
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Ilari Liusvaara
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Salz, Rich
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Ilari Liusvaara
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell