Re: [TLS] Extended random is NSA backdoor

Nico Williams <nico@cryptonector.com> Tue, 01 April 2014 02:47 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F39D1A0917 for <tls@ietfa.amsl.com>; Mon, 31 Mar 2014 19:47:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.303
X-Spam-Level:
X-Spam-Status: No, score=0.303 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, RCVD_IN_BL_SPAMCOP_NET=1.347] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2bGo4WmVnBdJ for <tls@ietfa.amsl.com>; Mon, 31 Mar 2014 19:47:47 -0700 (PDT)
Received: from homiemail-a16.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id DFEDC1A0412 for <tls@ietf.org>; Mon, 31 Mar 2014 19:47:47 -0700 (PDT)
Received: from homiemail-a16.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a16.g.dreamhost.com (Postfix) with ESMTP id BC124508084 for <tls@ietf.org>; Mon, 31 Mar 2014 19:47:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=nOo7/QBPytBBsL22PnXn KY3uvO8=; b=MwLS4mrPEz8nsC91/FpLktOiAzBpMBsbmurcLhwbmqVlMdDHkJIN 4XdDT3Cc21sYh7wkNxFZROoLdZ29S2L3MblWKrJNGbZ9F64NV37ZzZTqk4GW9++p e6+qfx7tqCilMds77aADgicuziN0iRNoLonvk/JXt/ZBCLjRzJvfuSo=
Received: from mail-wg0-f43.google.com (mail-wg0-f43.google.com [74.125.82.43]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a16.g.dreamhost.com (Postfix) with ESMTPSA id 69B9C508072 for <tls@ietf.org>; Mon, 31 Mar 2014 19:47:44 -0700 (PDT)
Received: by mail-wg0-f43.google.com with SMTP id x13so6616435wgg.26 for <tls@ietf.org>; Mon, 31 Mar 2014 19:47:43 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=1iACFD+p2Vqdi5+867O1nS8eoQku8tKPpzFA4T3p4Ao=; b=fychR3cqbbftMwWrF6ng1SpJWQpvYS/JMvrWE30kjRVL8aZsuJiAkI3HQUGz5nxgpK QWZlZgEALeBltmaiobijGJy0XtcA+5pzT4PRRXzouo/iNTIXZXYv2uCqPaNSD9E7z53c 67s8VRgvq1HvJR70Eui2p2GcQxPcg/EKMMZvetnK85pnQAra/zu2EVyujXpRuaxnwN0b PK77R05qcLmEzZN+fQhdGhB4kg5ZNZPHE+HWERQVCW5zhQxDr56SH3Uuo511ccieE/EZ +eIe1LcROR4iBcOpp10L+vZ0Dh9i5aGZCqQ2P+o9GyCYJdaMwrVZ3wjsuU/s+UJtBRkd dFGw==
MIME-Version: 1.0
X-Received: by 10.180.97.72 with SMTP id dy8mr16342508wib.5.1396320463336; Mon, 31 Mar 2014 19:47:43 -0700 (PDT)
Received: by 10.217.129.197 with HTTP; Mon, 31 Mar 2014 19:47:43 -0700 (PDT)
In-Reply-To: <CACsn0cke=seQfSkzUKf4oiKzUpa3UgfA2am=-5Q-a03S35=0yg@mail.gmail.com>
References: <CACsn0cmOjLDVgHjN00vb7XVTEU2FS9ZP5Rdax1W7sUqVBPQdvA@mail.gmail.com> <53397B6F.9050806@mykolab.com> <CAL9PXLzuwKCZ2MhLUMviTW-aV19Zm-m=4mVEcmKkFUtHm6sPKQ@mail.gmail.com> <53397E0C.9000504@mykolab.com> <CA+cU71mbBs_ER31abZ1nP1FtVAwREMvRwpPmcLaSYZiXhqUPGg@mail.gmail.com> <53397F7C.2060603@mykolab.com> <53398AB3.9090102@gmail.com> <CAGZ8ZG0sd+K2jCmA0KeH55dPG6Y+WHm7LDyhosFjY5R7ekp5GQ@mail.gmail.com> <4564B6F0-EAE8-457F-8698-ED929F4DDA01@pahtak.org> <26D8EEDC-DE7D-4681-BE06-216DBAF55BEE@vigilsec.com> <CAK3OfOg4Oy6PP-tq1w9KbADg16r-2A9rX8=zOMERHzrrKaU3jA@mail.gmail.com> <CACsn0cke=seQfSkzUKf4oiKzUpa3UgfA2am=-5Q-a03S35=0yg@mail.gmail.com>
Date: Mon, 31 Mar 2014 21:47:43 -0500
Message-ID: <CAK3OfOg88WT09BxNxuQRp5WO+x8+NxF7bQ-YEjddx_q08P7BLA@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/C_B2Wvy5P6qnRNb46ohUX4303QI
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] Extended random is NSA backdoor
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Apr 2014 02:47:48 -0000

BTW, if the only concern is replay protection then much less entropy
will suffice since the birthday paradox is the only real concern then.
 Coarse timestamps do help increase the value of smaller nonces by
allowing the use of a replay cache, but reliable, high-performance
replay caching is very difficult to implement correctly.  Still,
assuming no replay caching I'd say that 28 bytes is overkill indeed.