IETF Logo Mail Archive

Re: [TLS] Require deterministic ECDSA

Michael StJohns <msj@nthpermutation.com> Sun, 24 January 2016 18:24 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B3881AC423 for <tls@ietfa.amsl.com>; Sun, 24 Jan 2016 10:24:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XK7E0rNcVEVy for <tls@ietfa.amsl.com>; Sun, 24 Jan 2016 10:24:54 -0800 (PST)
Received: from mail-qg0-x235.google.com (mail-qg0-x235.google.com [IPv6:2607:f8b0:400d:c04::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 536B51AC422 for <tls@ietf.org>; Sun, 24 Jan 2016 10:24:54 -0800 (PST)
Received: by mail-qg0-x235.google.com with SMTP id o11so94004308qge.2 for <tls@ietf.org>; Sun, 24 Jan 2016 10:24:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-type:content-transfer-encoding; bh=Xb3P0IUbqrAgiqMKaUo/T4XSZngEN7a40HfrFKZwZOg=; b=ipdGNZGRUKrZoCCofGSb/U1KamBHAm60mBWaoJenyshnlOuJ5L/BMlBVH4gjIv5hjh Hvv0Px0snlLdEcqGycO8D0nwJQBLdy5X6U1AdTTvOm6vlBDWnKcc9C6PziRQ0mJQHSzE xLTZnVwTWzimz+8eNwZcT29agHt3brwErK2Z5rkDZP96HdmxO2qlMtpt8MZH9XAN39FQ aSl2+0Z0W8N5wcNtVJEIhhTgYPAEuzBx0MCCeiJANn0bzTnDE1Gk4auK8K0N041VKQ/L N+dDrbwPojMifbOqVh70zRRB2pQ/WNR/5n44j4B1O6mhm59ca53leCCV6Wuv7CDVP1lC EdJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=Xb3P0IUbqrAgiqMKaUo/T4XSZngEN7a40HfrFKZwZOg=; b=DcVeyHPQMXrN3DlFphz2dcZTERwe84gVUalAGUdWVSC7xh8SYL31MNNdibvw82oCzC EzaBZBodzIPTIoDDattFQ5YCc5WbiAH35FP90Dh5XthLjVhc3SUpO38XLOx9xvVdt7ZF 64LOFp3J/mwixdL+BNb8iihGVhWlWgxRpsP/SXXtlM8Uc7mtXcFnHESGj2RSnFSs4lSX h+gb7/HwAOU1Xi4WhKRxVnoywUGm90UcQWm90YfwUuaCXSWqbOmjpiJIfEQDycGUxcwM tfo5mfwUhzjL3UWNnjD0Ie0a0cfG2BrZr1X9heW8w7UK6VFnKI3GF+N2xPKIHDa+fdeb BjnQ==
X-Gm-Message-State: AG10YOQgNi3irASQoDR1Y1bQLXsf+m25LEreYh76jXBN2DvBYedQrWlnJ/iIW/2v/7kpjQ==
X-Received: by 10.140.236.68 with SMTP id h65mr17665646qhc.13.1453659893557; Sun, 24 Jan 2016 10:24:53 -0800 (PST)
Received: from ?IPv6:2601:148:c000:1bb4:49cd:a64a:bc7e:4016? ([2601:148:c000:1bb4:49cd:a64a:bc7e:4016]) by smtp.gmail.com with ESMTPSA id c126sm7196736qhc.40.2016.01.24.10.24.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 24 Jan 2016 10:24:53 -0800 (PST)
To: Yoav Nir <ynir.ietf@gmail.com>
References: <CACaGAp=-xJZN=L3av+DX_WQcki_k=L-_tc5dZnJNtM=M0W8MnQ@mail.gmail.com> <CAGwT64i5v+0xXLzQYFO5JVKs302x6BgZYN+ffYzMVesgbB9biA@mail.gmail.com> <CACaGApnF7fM2cQdbG9PK7uZaiUkhXiYqKVkzFuk2teD9B5et9w@mail.gmail.com> <07742742-5517-4A94-9462-E41F4C3EB6FD@gmail.com> <56A42097.5010802@nthpermutation.com> <F819D2BB-53B0-4DD9-AAE4-856AAEDD0A8A@gmail.com>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <56A516FA.3060708@nthpermutation.com>
Date: Sun, 24 Jan 2016 13:24:58 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <F819D2BB-53B0-4DD9-AAE4-856AAEDD0A8A@gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/8t-6P0JX2txLfBTwczd1Yl0JIYE>
Cc: tls@ietf.org
Subject: Re: [TLS] Require deterministic ECDSA
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jan 2016 18:24:56 -0000

On 1/24/2016 5:12 AM, Yoav Nir wrote:
> The HSM has enough entropy to generate (once) a 256-bit (or 384-bit or 521-bit) key. When working as part of a TLS server using regular ECDSA it would need to generate a random k for each full handshake, and many such servers routinely handle tens of thousands of such handshakes per second. So it’s hundreds of kilobytes per second, for an HSM that has no network input, no I/O of any kind other than the signature requests, this may be a problem. I’ve seen people claim this in the past.

This *really* isn't how most HSMs work.  They mostly have TRNGs (True 
Random Number Generators) aka Hardware RNGs based on noisy diodes or 
ring oscillators or some such (e.g. no stupid linux like entropy source 
from keyboard motion or network interrupts).  This gets fed into a PRBG 
construct - something like the ones in SP800-90A.  Which does the 
entropy expansion/extraction to get you pretty much any number of bits 
you want of good quality randomness in plenty of time to do handshakes.

There's actually a cool set of USB devices that provide *very* good 
TRNG.    Take a look at 
http://ubld.it/products/truerng-hardware-random-number-generator/ or 
http://ubld.it/ and the drivers (or internal logic) feed what they get 
from the TRNG into a good PRBG.  I've been playing with using them as an 
augmentation of how I generate keys.

If you're stuck on commodity hardware (e.g. intel motherboard)  and 
worried about randomness, there's also this: 
https://software.intel.com/en-us/articles/intel-digital-random-number-generator-drng-software-implementation-guide. 
Later versions of the intel platform have a TRNG embedded in them as 
well as an SP800-90A PRBG.

One of the things about FIPS and RNGs is that there is a pretty good set 
of requirements AND tests that can be used to establish just how good of 
an RNG source you have (and provide pretty good error detection and fail 
logics).

Later, Mike

v2.23.0 | Report a Bug | By Email