IETF Logo Mail Archive

Re: [TLS] 32 byte randoms in TLS1.3 hello's

Dan Brown <danibrown@blackberry.com> Mon, 31 July 2017 13:54 UTC

Return-Path: <danibrown@blackberry.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55FB01322F3 for <tls@ietfa.amsl.com>; Mon, 31 Jul 2017 06:54:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lCsb4_APKfrO for <tls@ietfa.amsl.com>; Mon, 31 Jul 2017 06:54:32 -0700 (PDT)
Received: from smtp-p02.blackberry.com (smtp-p02.blackberry.com [208.65.78.89]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 765FE1322EF for <tls@ietf.org>; Mon, 31 Jul 2017 06:54:31 -0700 (PDT)
Received: from xct106cnc.rim.net ([10.65.161.206]) by mhs215cnc.rim.net with ESMTP/TLS/DHE-RSA-AES256-SHA; 31 Jul 2017 09:54:31 -0400
Received: from XCT199YKF.rim.net (10.2.25.7) by XCT106CNC.rim.net (10.65.161.206) with Microsoft SMTP Server (TLS) id 14.3.319.2; Mon, 31 Jul 2017 09:54:30 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT199YKF.rim.net ([fe80::3026:d39d:47da:9fa3%12]) with mapi id 14.03.0319.002; Mon, 31 Jul 2017 09:54:30 -0400
From: Dan Brown <danibrown@blackberry.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Eric Rescorla <ekr@rtfm.com>, "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] 32 byte randoms in TLS1.3 hello's
Thread-Index: AQHTBI+yUHLG+hMivEObnVpzx6wh/KJjeS0AgAC0BYCAAI15AIAAcHiAgABSRwCAABeRgIAAta2AgAATyICAAC25AIAAMDwAgAANUQCAABPSAIAABQGAgAAkyoCAAYN2AP//zaLlgABFtACAAAITAIAAleMAgAADerCAAHJeAIAETPYg
Date: Mon, 31 Jul 2017 13:54:29 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF501B78355@XMB116CNC.rim.net>
References: <CAAF6GDcSb3jqirTRW7_Udr4u6QJtFpmFug02pMuX-CjEiyNPfg@mail.gmail.com> <20170726205732.784F41A6CB@ld9781.wdf.sap.corp> <CAAF6GDcQCCeq1JosMTpQrh7MZLG1iN-xcOfsXC0LvSZRx+oQjQ@mail.gmail.com> <046ad800-351b-3a79-3f56-7883f5d9ceea@cs.tcd.ie> <CABcZeBMyY0f9D9VEmkKNkLB2OY3TRG7UO-B48xOrA3JSP5xRkw@mail.gmail.com> <20170727233335.8573013.91860.16216@blackberry.com> <2DB2CA47-5121-4B3E-BE0E-116A76F4870E@ll.mit.edu> <CABcZeBNF3WjY6AKoDY4drB+XjMS9LLZ5DmhR=DFX+-0YtKO71g@mail.gmail.com> <726e6666-8af4-384a-95f7-45cb68a331f7@cs.tcd.ie> <810C31990B57ED40B2062BA10D43FBF501B745D8@XMB116CNC.rim.net> <0698b5f7-3dd7-ee4f-5464-6a7e98a20240@cs.tcd.ie>
In-Reply-To: <0698b5f7-3dd7-ee4f-5464-6a7e98a20240@cs.tcd.ie>
Accept-Language: en-US, en-CA
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.252]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/BhKkeWe57vg-c807SKZ4kXcXQSc>
Subject: Re: [TLS] 32 byte randoms in TLS1.3 hello's
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Jul 2017 13:54:34 -0000

-----Original Message-----
From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] 

I don't think this is simply a case of multiple CSPRNGs.

DB> Not quite sure what you mean by "simply a case of multiple CSPRNGs", but I am starting to get an idea below.

My guess is many TLS implementations don't have visibility into how the CSPRNG operates. That code does however, know which output values will be public and which not. For me, that implies that any good separation scheme applied within the TLS code that differentiates between public and non public outputs is a good plan. 

DB> Ok, suppose the TLS implementation wishes to just read /dev/urandom, which is presumably a good CSPRNG.  Unlike the NIST RBGs, there's no interface to create independent and separate instantiations of /dev/urandom (as far as I know, although newer versions may provide this feature).  So, what would count as your "separation scheme"?  Are you saying the TLS code should post-process the output of a single CSPRNG?  If so, then that's probably a good idea, if done right.  At least it doesn't have the downside risk of the TLS coder generating its own seeds, writing its own CSPRNG (instead of using /dev/urandom), etc.  (I thought that I was being very specific that launching 2 CSPRNGs was not a good idea, yet it seems I was read as preferring as doing nothing and keeping the status quo, which is not what I intended.)  So, I think some kind of clarification of the currently proposed text (for -21 ?)  may be worthwhile, because I read it creating two separate CSPRNGs.  (Of course, defence in depth is good, and often worth the implementation cost, but if it introduces new security problems, then it is not too good.  More philosophically, in an ideal world, any additions to the TLS spec should be vetted with pedigree.  Trying to create independently seeded CSPRNGs goes against the current best practices as I understand them.  By contrast, TLS already has all kinds of key derivation, separation for different purposes (unless that was dropped in 1.3???), which TLS might as well continue to use.

v2.23.0 | Report a Bug | By Email