Re: [TLS] Last Call: draft-hoffman-tls-additional-random-ext (Additional Random
Marsh Ray <marsh@extendedsubset.com> Mon, 26 April 2010 21:18 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7F9DA3A6B34 for <tls@core3.amsl.com>; Mon, 26 Apr 2010 14:18:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.568
X-Spam-Level:
X-Spam-Status: No, score=0.568 tagged_above=-999 required=5 tests=[AWL=-1.433, BAYES_50=0.001, SARE_RAND_1=2]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G4wg1707nqHZ for <tls@core3.amsl.com>; Mon, 26 Apr 2010 14:18:58 -0700 (PDT)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id B1DB23A69CD for <tls@ietf.org>; Mon, 26 Apr 2010 14:18:48 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1O6VhM-000Aub-9W; Mon, 26 Apr 2010 21:18:36 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 09BB560B6; Mon, 26 Apr 2010 21:18:35 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX18i2TNZHNxF4fTxhP94bZYx9emQty2DvZ8=
Message-ID: <4BD60329.3030403@extendedsubset.com>
Date: Mon, 26 Apr 2010 16:18:33 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100216 Thunderbird/3.0.2
MIME-Version: 1.0
To: Michael D'Errico <mike-list@pobox.com>
References: <Pine.LNX.4.44.1004261355330.14419-100000@citation2.av8.net> <4BD5E3BD.2030605@extendedsubset.com> <4BD5EDB5.50409@pobox.com>
In-Reply-To: <4BD5EDB5.50409@pobox.com>
X-Enigmail-Version: 1.0.1
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] Last Call: draft-hoffman-tls-additional-random-ext (Additional Random
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Apr 2010 21:18:59 -0000
Taking ietf@ietf.org off of CC list as this seems to be very TLS specific. On 4/26/2010 2:47 PM, Michael D'Errico wrote: > > No, if you look at the implementation notes in RFC 5246, you will see that > it really is meant to be pseudo-random: I believe this wording is particularly unfortunate and needs to be fixed. Perhaps Ekr will weigh in on this? Here's my interpretation: > Appendix D. Implementation Notes > > D.1. Random Number Generation and Seeding > > TLS requires a cryptographically secure pseudorandom number generator > (PRNG). Yes, it does. Note that this does not modify the definition of random_bytes as "28 bytes generated by a secure random number generator." > Care must be taken in designing and seeding PRNGs. Yes, it must. Note the term "seeding". > PRNGs > based on secure hash operations, most notably SHA-1, are acceptable, > but cannot provide more security than the size of the random number > generator state. None of this is literally untrue, but the placement of this whole paragraph seems to confuse the RNG/PRNG distinction. I believe it was expected that the reader would understand that a True RNG was being talked about. It seems to be taken for granted that this will follow the conventional implementation of as pool of bits containing sufficient entropy which is stirred by a strong hash-function-based PRNG. Places in the spec that need the "pseudo" generator define a "pseudorandom function (PRF)" and use that term. The TLS 1.1 spec refererences: > [RANDOM] Eastlake, D., 3rd, Schiller, J., and S. Crocker, > "Randomness Requirements for Security", BCP 106, RFC 4086, > June 2005. which I intend to read immediately. > A server especially would not want to use an RNG (over a PRNG) since an > attacker could rob it of all its entropy by sending a flood of bogus > ClientHellos. You need a good true RNG to implement TLS securely. You shouldn't worry about it "running out of entropy". That it won't is inherent in the definition of "good true RNG" as a primitive operation. Another way of saying it is: if you're worried about running out of entropy then fix your RNG, don't weaken the protocol implementation. If you dump enough entropy* in the pool and stir it and extract it using a strong hash function, the attacker can't reverse its state. This fascinating topic is treated at length in "the literature" and I learned a lot last time this thread came up. *I think we've established that 2**224 is "probably enough". > In my own implementation, the only place I use a true RNG is when a client > generates an RSA premaster secret. Are you saying that your client_hello and server_hello are predictable? Better fix that. On 4/26/2010 3:38 PM, Nicolas Williams wrote: > How is the sub-thread on RNGs and PRNGs relevant here? The draft was said to strengthen some properties of the protocol, particularly entropy in the RNG. In order to evaluate the draft, we need to agree on what those properties are supposed to be and how they affect the different protocol structures. It looks like the TLS RFCs are a bit unclear. From the comments, it would appear that not all implementers have interpreted the spec in the same way as it relates to true RNGs, PRNGs, the PRF, etc. - Marsh
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Martin Rex
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Paul Hoffman
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Simon Josefsson
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Martin Rex
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Russ Housley
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Paul Hoffman
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Martin Rex
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Martin Rex
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Marsh Ray
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Paul Hoffman
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Simon Josefsson
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Simon Josefsson
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Nicolas Williams
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Marsh Ray
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Nicolas Williams
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Martin Rex
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Dean Anderson
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Marsh Ray
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Michael D'Errico
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Dean Anderson
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Nicolas Williams
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Kemp, David P.
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Marsh Ray
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Nicolas Williams
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Marsh Ray
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Nicolas Williams
- [TLS] RNG vs. PRNG Michael D'Errico
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Dean Anderson
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Dean Anderson
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Kemp, David P.
- Re: [TLS] RNG vs. PRNG Marsh Ray
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Nicolas Williams
- Re: [TLS] RNG vs. PRNG Martin Rex
- Re: [TLS] RNG vs. PRNG Martin Rex
- Re: [TLS] RNG vs. PRNG Marsh Ray
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Dean Anderson
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Sean Turner