Re: [TLS] Last Call: draft-hoffman-tls-additional-random-ext (Additional Random
Marsh Ray <marsh@extendedsubset.com> Thu, 22 April 2010 17:55 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 100B828C1E3 for <tls@core3.amsl.com>; Thu, 22 Apr 2010 10:55:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mKR0QcBB93Wh for <tls@core3.amsl.com>; Thu, 22 Apr 2010 10:55:14 -0700 (PDT)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id E844328C1E1 for <tls@ietf.org>; Thu, 22 Apr 2010 10:45:00 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1O50SI-0005rP-Im for tls@ietf.org; Thu, 22 Apr 2010 17:44:50 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id C32416048 for <tls@ietf.org>; Thu, 22 Apr 2010 17:44:49 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX195DtocJIlYYRVrhRM/GUNm+hbl25610uM=
Message-ID: <4BD08B11.2020807@extendedsubset.com>
Date: Thu, 22 Apr 2010 12:44:49 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100216 Thunderbird/3.0.2
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
References: <201004212205.o3LM5pwQ019241@fs4113.wdf.sap.corp> <p06240887c7f52b14f905@[10.20.30.158]> <87fx2oxvua.fsf@mocca.josefsson.org> <p06240803c7f60d8cde2c@[10.20.30.249]>
In-Reply-To: <p06240803c7f60d8cde2c@[10.20.30.249]>
X-Enigmail-Version: 1.0.1
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Last Call: draft-hoffman-tls-additional-random-ext (Additional Random
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Apr 2010 17:55:16 -0000
On 4/22/2010 9:29 AM, Paul Hoffman wrote: > At 12:51 AM +0200 4/22/10, Simon Josefsson wrote: >> In which environments is the extension useful? >> >> The only motivation in the document that I can find is this: >> >> In some application environments, it is desirable to have the client >> and/or the server be able to input more random material in the master >> key calculation than is allowed by the fixed-length Random value. >> >> I believe more justification than that is required for Proposed >> Standard. I too do not feel that this proposed Proposed Standard is a good candidate for last call. >> In particular, what I'd like to see is references to some application >> environments where the extension is desirable, and the rationale why it >> is desirable in that environment. >> >> Without a rationale for when the extension is useful, it is impossible >> for implementers to know when use of this extension is warranted or not. > > The environment I described in the earlier thread is TLS with > Diffie-Hellman. I thought that saying that was sufficient, but I guess > it wasn't. > > In Diffie-Hellman key establishment with static keys, even if the PRNG > of one side is bad, the resulting pre-master secret is still sound. The RFCs state "TLS requires a cryptographically secure pseudorandom number generator (PRNG). Care must be taken in designing and seeding PRNGs." Clearly the intent here is a TLS implementation requires a cryptographically secure true RNG, presumably built from a PRNG initialized with sufficient entropy. Thus, there is no such such thing as a TLS implementation without a good PRNG. Insofar as it is the only justification for the proposed extension, draft-hoffman-tls-additional-random-ext would appear to introduce an endpoint-sans-entropy configuration as a supported feature of the protocol. I don't think that could be cleanly retrofitted into the TLS protocol at this stage. The endpoint-sans-entropy role would have to be negotiated but AFAICT no mechanism for doing this has been proposed. Obviously it would be a bad thing if both endpoints thought they could be the one without a working RNG! This negotiation would need to be strongly authenticated. Currently, most TLS negotiated parameters (e.g. version, ciphers and macs, renego) are exchanged in the hello messages. These are presumed by the endpoints to not be modified by an attacker while they are used during the handshake. Receipt of the valid Finished message retroactively authenticates (*danger*danger*) the parameters exchanged in the hello messages. So what prevents the attacker from forging the Finished messages? Only his lack of access to the MAC_secrets. (We have to assume he's downgraded the cipher to null or something he can break.) These are generated from the key block using master_secret, client_random, and server_random as inputs. Any proposed mechanism for negotiating which of the endpoints is the one that is allowed to have a predictable RNG must be able to securely authenticate without benefit of the client_random and server_random inputs. The attacker may be telling both sides "hey don't bother sending any entropy on this handshake I've got it covered". That leaves only the master_secret input, how is it calculated? Well, it comes from the premaster_secret and also the client_random and server_random inputs, but again they must be assumed to now be untrustworthy. In the case of static DH, the premaster_secret is always the same. So the attacker can replay a previous random to the side(s) with the predictable RNG and arrange for this second handshake to appear to complete successfully and re-use exactly the same keys, IVs, and MAC_secrets as before. But he doesn't have to generate the same Finished message. The attacker can include some unrecognized extension with crafted data in one or both of the hellos. It'll be ignored by the endpoint and it doesn't affect key generation but it will change the finished message. Now that the attacker has fixed the key and IV, he can perform chosen-plaintext attacks against the cipher (or worse). > Neither side knows whether or not the PRNG of the other side is bad, so > each side wants to supply sufficient randomness for the master secret > even if the other side's PRNG is bad. Without this extension, each side can supply between 224 and 256 bits of entropy, depending on how inaccurate you want to get with the gmt_unix_time parameter. The PRF which expands these bits has multiple layers of redundancy and perhaps even overkill (but in a good way). "224 bits ought to be enough for anybody". :-) Even an offline birthday attack on something that size is likely to be forever impractical. I'm all for adding entropy to RNGs in general. But in this case does not sound to me like a good tradeoff to spend any additional protocol complexity just to contributing more of it in effectively the same manner as the current 224 bits. > If a side with a bad PRNG adds its > own input, it doesn't hurt the randomness of the result, but a side with > a good PRNG can bring up the amount of randomness. Where it hurts is when an implementation's security analysis depends on that effect. > I did not want to list this as the justification because there may be > other reasons to use the extension, and I don't want readers to think > that this is the only one. For example, future types of TLS key > establishment might have similar properties as static-static > Diffie-Hellman. The problem is that in TLS these things are negotiated in the handshake and the attacker gets to choose most of the inputs into the negotiation up until the Finished messages are exchanged and validated. So the attacker gets his choice of the _weakest_ of all supported key exchange and MAC schemes of the client and server (individually) in attacking the handshake. Scary, isn't it? - Marsh
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Martin Rex
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Paul Hoffman
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Simon Josefsson
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Martin Rex
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Russ Housley
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Paul Hoffman
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Martin Rex
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Martin Rex
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Marsh Ray
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Paul Hoffman
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Simon Josefsson
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Simon Josefsson
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Nicolas Williams
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Marsh Ray
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Nicolas Williams
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Martin Rex
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Dean Anderson
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Marsh Ray
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Michael D'Errico
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Dean Anderson
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Nicolas Williams
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Kemp, David P.
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Marsh Ray
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Nicolas Williams
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Marsh Ray
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Nicolas Williams
- [TLS] RNG vs. PRNG Michael D'Errico
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Dean Anderson
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Dean Anderson
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Kemp, David P.
- Re: [TLS] RNG vs. PRNG Marsh Ray
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Nicolas Williams
- Re: [TLS] RNG vs. PRNG Martin Rex
- Re: [TLS] RNG vs. PRNG Martin Rex
- Re: [TLS] RNG vs. PRNG Marsh Ray
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Dean Anderson
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Sean Turner