IETF Logo Mail Archive

Re: [TLS] 32 byte randoms in TLS1.3 hello's

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 25 July 2017 12:20 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0F7B131C89 for <tls@ietfa.amsl.com>; Tue, 25 Jul 2017 05:20:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WVidMD1s5zJe for <tls@ietfa.amsl.com>; Tue, 25 Jul 2017 05:20:18 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E00BB131C37 for <tls@ietf.org>; Tue, 25 Jul 2017 05:20:17 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 4C415BE2C; Tue, 25 Jul 2017 13:20:15 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GWF5PIr4IhpF; Tue, 25 Jul 2017 13:20:15 +0100 (IST)
Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 15963BDF9; Tue, 25 Jul 2017 13:20:15 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1500985215; bh=O43tG69/3RJ+oohx7sp8ypH6T+9FA6YBEQYuqCWbuo4=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=EQsjS7lVvhsSaT3/PzIfFArbRRep0l5Z5RVvAxcLfZQi8eUwXrDrOTrx/UiAXJUj7 T8wqiohNugG3rQIudIduXl+xZhocIPQrkvwS8tJ+BB885E9jtLd7gIS/e+1IQfKu9T F1PRzR/yfd47uyAjTIDJpR/G7xXZcc72zMSaDi7c=
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, Colm MacCárthaigh <colm@allcosts.net>
Cc: "tls@ietf.org" <tls@ietf.org>
References: <67679ecc-1043-a70a-6d57-8807f78e1afa@cs.tcd.ie> <CAAF6GDejyu7+ApbG-drMOSW3M=nc1MJJeA45O40RDbEedk15kA@mail.gmail.com> <1500954833319.1033@cs.auckland.ac.nz>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <f328d15e-6eed-e257-5cc3-51e9af2f4bfe@cs.tcd.ie>
Date: Tue, 25 Jul 2017 13:20:14 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <1500954833319.1033@cs.auckland.ac.nz>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="iXTGXpNuaHdA5kuTJ0QIFWv1nQTA3rSQQ"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/8JXIYlG9zi_UMuNajczTPKiPYWU>
Subject: Re: [TLS] 32 byte randoms in TLS1.3 hello's
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jul 2017 12:20:21 -0000


On 25/07/17 04:53, Peter Gutmann wrote:
> Colm MacCárthaigh <colm@allcosts.net> writes:
> 
>> I think the fix for this is really at the application level; if you 
>> want defense-in-depth against PRNG problems, it's probably best to use 
>> separate RNG instances for public data (e.g. client_random, 
>> server_random, explicit_IV) and for secret data (keys) so that a leak 
>> in the public data doesn't compromise the private one. We do this in 
>> s2n, and I think BouncyCastle does it too. 
> 
> I do that too.  It's also specified in the LTS draft, it's just common 
> sense really.

I guess you mean this:

"
   TLS-LTS drops the requirement to generate the Client.random and
   Server.random using "a secure random number generator", typically the
   one used to generate encryption keys.  The use of a secure/
   cryptographic random number generator serves no obvious purpose (all
   that's required is a unique value), but exposes 224 bits of the
   cryptographic RNG output to an attacker, allowing them to analyse and
   potentially attack the RNG, and by extension any crypto keys that it
   generates:

   o  Implementations SHOULD NOT use the raw output from a
      cryptographic/secure RNG that's used to generate keying material
      to generate the Client.random and Server.random values.  Instead,
      they SHOULD employ a mechanism that doesn't directly expose
      cryptographic RNG output to attackers, for example by using the
      crypto RNG to seed a hash-based PRF such as the TLS PRF and using
      the output of that for the values.
"

I think something along these lines would be good advice to add
to appendix C.1 or to 4.1.2 where Random is defined.

That said, I'd still argue for an approach that a peer could
see was in use when "public" random byes aren't really needed but
fair enough if that doesn't resonate with people.

Cheers,
S.


> 
> Peter.
>

v2.23.0 | Report a Bug | By Email