Re: [TLS] Last Call: draft-hoffman-tls-additional-random-ext (Additional Random

Marsh Ray <> Mon, 26 April 2010 21:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7F9DA3A6B34 for <>; Mon, 26 Apr 2010 14:18:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.568
X-Spam-Status: No, score=0.568 tagged_above=-999 required=5 tests=[AWL=-1.433, BAYES_50=0.001, SARE_RAND_1=2]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id G4wg1707nqHZ for <>; Mon, 26 Apr 2010 14:18:58 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id B1DB23A69CD for <>; Mon, 26 Apr 2010 14:18:48 -0700 (PDT)
Received: from ([]) by with esmtpa (Exim 4.68) (envelope-from <>) id 1O6VhM-000Aub-9W; Mon, 26 Apr 2010 21:18:36 +0000
Received: from [] (localhost []) by (Postfix) with ESMTP id 09BB560B6; Mon, 26 Apr 2010 21:18:35 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Report-Abuse-To: (see for abuse reporting information)
X-MHO-User: U2FsdGVkX18i2TNZHNxF4fTxhP94bZYx9emQty2DvZ8=
Message-ID: <>
Date: Mon, 26 Apr 2010 16:18:33 -0500
From: Marsh Ray <>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: Gecko/20100216 Thunderbird/3.0.2
MIME-Version: 1.0
To: Michael D'Errico <>
References: <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.0.1
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Last Call: draft-hoffman-tls-additional-random-ext (Additional Random
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 26 Apr 2010 21:18:59 -0000

Taking off of CC list as this seems to be very TLS specific.

On 4/26/2010 2:47 PM, Michael D'Errico wrote:
> No, if you look at the implementation notes in RFC 5246, you will see that
> it really is meant to be pseudo-random:

I believe this wording is particularly unfortunate and needs to be fixed.

Perhaps Ekr will weigh in on this?

Here's my interpretation:

>    Appendix D.  Implementation Notes
>    D.1.  Random Number Generation and Seeding
>       TLS requires a cryptographically secure pseudorandom number generator
>       (PRNG).

Yes, it does.

Note that this does not modify the definition of random_bytes as
"28 bytes generated by a secure random number generator."

> Care must be taken in designing and seeding PRNGs.

Yes, it must.

Note the term "seeding".

>       based on secure hash operations, most notably SHA-1, are acceptable,
>       but cannot provide more security than the size of the random number
>       generator state.

None of this is literally untrue, but the placement of this whole
paragraph seems to confuse the RNG/PRNG distinction.

I believe it was expected that the reader would understand that a True
RNG was being talked about. It seems to be taken for granted that this
will follow the conventional implementation of as pool of bits
containing sufficient entropy which is stirred by a strong
hash-function-based PRNG.

Places in the spec that need the "pseudo" generator define a
"pseudorandom function (PRF)" and use that term. The TLS 1.1 spec
>    [RANDOM]   Eastlake, D., 3rd, Schiller, J., and S. Crocker,
>               "Randomness Requirements for Security", BCP 106, RFC 4086,
>               June 2005.
which I intend to read immediately.

> A server especially would not want to use an RNG (over a PRNG) since an
> attacker could rob it of all its entropy by sending a flood of bogus
> ClientHellos.

You need a good true RNG to implement TLS securely.

You shouldn't worry about it "running out of entropy". That it won't is
inherent in the definition of "good true RNG" as a primitive operation.
Another way of saying it is: if you're worried about running out of
entropy then fix your RNG, don't weaken the protocol implementation.

If you dump enough entropy* in the pool and stir it and extract it using
a strong hash function, the attacker can't reverse its state. This
fascinating topic is treated at length in "the literature" and I learned
a lot last time this thread came up.

*I think we've established that 2**224 is "probably enough".

> In my own implementation, the only place I use a true RNG is when a client
> generates an RSA premaster secret.

Are you saying that your client_hello and server_hello are predictable?
Better fix that.

On 4/26/2010 3:38 PM, Nicolas Williams wrote:
> How is the sub-thread on RNGs and PRNGs relevant here?

The draft was said to strengthen some properties of the protocol,
particularly entropy in the RNG. In order to evaluate the draft, we need
to agree on what those properties are supposed to be and how they affect
the different protocol structures.

It looks like the TLS RFCs are a bit unclear. From the comments, it
would appear that not all implementers have interpreted the spec in the
same way as it relates to true RNGs, PRNGs, the PRF, etc.

- Marsh