Re: [TLS] Extended random is NSA backdoor
Nico Williams <nico@cryptonector.com> Tue, 01 April 2014 02:47 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F39D1A0917 for <tls@ietfa.amsl.com>; Mon, 31 Mar 2014 19:47:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.303
X-Spam-Level:
X-Spam-Status: No, score=0.303 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, RCVD_IN_BL_SPAMCOP_NET=1.347] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2bGo4WmVnBdJ for <tls@ietfa.amsl.com>; Mon, 31 Mar 2014 19:47:47 -0700 (PDT)
Received: from homiemail-a16.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id DFEDC1A0412 for <tls@ietf.org>; Mon, 31 Mar 2014 19:47:47 -0700 (PDT)
Received: from homiemail-a16.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a16.g.dreamhost.com (Postfix) with ESMTP id BC124508084 for <tls@ietf.org>; Mon, 31 Mar 2014 19:47:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=nOo7/QBPytBBsL22PnXn KY3uvO8=; b=MwLS4mrPEz8nsC91/FpLktOiAzBpMBsbmurcLhwbmqVlMdDHkJIN 4XdDT3Cc21sYh7wkNxFZROoLdZ29S2L3MblWKrJNGbZ9F64NV37ZzZTqk4GW9++p e6+qfx7tqCilMds77aADgicuziN0iRNoLonvk/JXt/ZBCLjRzJvfuSo=
Received: from mail-wg0-f43.google.com (mail-wg0-f43.google.com [74.125.82.43]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a16.g.dreamhost.com (Postfix) with ESMTPSA id 69B9C508072 for <tls@ietf.org>; Mon, 31 Mar 2014 19:47:44 -0700 (PDT)
Received: by mail-wg0-f43.google.com with SMTP id x13so6616435wgg.26 for <tls@ietf.org>; Mon, 31 Mar 2014 19:47:43 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=1iACFD+p2Vqdi5+867O1nS8eoQku8tKPpzFA4T3p4Ao=; b=fychR3cqbbftMwWrF6ng1SpJWQpvYS/JMvrWE30kjRVL8aZsuJiAkI3HQUGz5nxgpK QWZlZgEALeBltmaiobijGJy0XtcA+5pzT4PRRXzouo/iNTIXZXYv2uCqPaNSD9E7z53c 67s8VRgvq1HvJR70Eui2p2GcQxPcg/EKMMZvetnK85pnQAra/zu2EVyujXpRuaxnwN0b PK77R05qcLmEzZN+fQhdGhB4kg5ZNZPHE+HWERQVCW5zhQxDr56SH3Uuo511ccieE/EZ +eIe1LcROR4iBcOpp10L+vZ0Dh9i5aGZCqQ2P+o9GyCYJdaMwrVZ3wjsuU/s+UJtBRkd dFGw==
MIME-Version: 1.0
X-Received: by 10.180.97.72 with SMTP id dy8mr16342508wib.5.1396320463336; Mon, 31 Mar 2014 19:47:43 -0700 (PDT)
Received: by 10.217.129.197 with HTTP; Mon, 31 Mar 2014 19:47:43 -0700 (PDT)
In-Reply-To: <CACsn0cke=seQfSkzUKf4oiKzUpa3UgfA2am=-5Q-a03S35=0yg@mail.gmail.com>
References: <CACsn0cmOjLDVgHjN00vb7XVTEU2FS9ZP5Rdax1W7sUqVBPQdvA@mail.gmail.com> <53397B6F.9050806@mykolab.com> <CAL9PXLzuwKCZ2MhLUMviTW-aV19Zm-m=4mVEcmKkFUtHm6sPKQ@mail.gmail.com> <53397E0C.9000504@mykolab.com> <CA+cU71mbBs_ER31abZ1nP1FtVAwREMvRwpPmcLaSYZiXhqUPGg@mail.gmail.com> <53397F7C.2060603@mykolab.com> <53398AB3.9090102@gmail.com> <CAGZ8ZG0sd+K2jCmA0KeH55dPG6Y+WHm7LDyhosFjY5R7ekp5GQ@mail.gmail.com> <4564B6F0-EAE8-457F-8698-ED929F4DDA01@pahtak.org> <26D8EEDC-DE7D-4681-BE06-216DBAF55BEE@vigilsec.com> <CAK3OfOg4Oy6PP-tq1w9KbADg16r-2A9rX8=zOMERHzrrKaU3jA@mail.gmail.com> <CACsn0cke=seQfSkzUKf4oiKzUpa3UgfA2am=-5Q-a03S35=0yg@mail.gmail.com>
Date: Mon, 31 Mar 2014 21:47:43 -0500
Message-ID: <CAK3OfOg88WT09BxNxuQRp5WO+x8+NxF7bQ-YEjddx_q08P7BLA@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/C_B2Wvy5P6qnRNb46ohUX4303QI
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] Extended random is NSA backdoor
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Apr 2014 02:47:48 -0000
BTW, if the only concern is replay protection then much less entropy will suffice since the birthday paradox is the only real concern then. Coarse timestamps do help increase the value of smaller nonces by allowing the use of a replay cache, but reliable, high-performance replay caching is very difficult to implement correctly. Still, assuming no replay caching I'd say that 28 bytes is overkill indeed.
- [TLS] Extended random is NSA backdoor Watson Ladd
- Re: [TLS] Extended random is NSA backdoor Paul Ferguson
- Re: [TLS] Extended random is NSA backdoor Adam Langley
- Re: [TLS] Extended random is NSA backdoor Stephen Checkoway
- Re: [TLS] Extended random is NSA backdoor Paul Ferguson
- Re: [TLS] Extended random is NSA backdoor Tom Ritter
- Re: [TLS] Extended random is NSA backdoor Paul Ferguson
- Re: [TLS] Extended random is NSA backdoor Rene Struik
- Re: [TLS] Extended random is NSA backdoor Jacob Appelbaum
- Re: [TLS] Extended random is NSA backdoor Trevor Perrin
- Re: [TLS] Extended random is NSA backdoor Stephen Checkoway
- Re: [TLS] Extended random is NSA backdoor Dan Harkins
- Re: [TLS] Extended random is NSA backdoor Dan Harkins
- Re: [TLS] Extended random is NSA backdoor Stephen Farrell
- Re: [TLS] Extended random is NSA backdoor Russ Housley
- Re: [TLS] Extended random is NSA backdoor Marsh Ray
- Re: [TLS] Extended random is NSA backdoor Nico Williams
- Re: [TLS] Extended random is NSA backdoor =JeffH
- Re: [TLS] Extended random is NSA backdoor Nico Williams
- Re: [TLS] Extended random is NSA backdoor Michael D'Errico
- Re: [TLS] Extended random is NSA backdoor Watson Ladd
- Re: [TLS] Extended random is NSA backdoor Nico Williams
- Re: [TLS] Extended random is NSA backdoor Nico Williams
- Re: [TLS] Extended random is NSA backdoor Nico Williams
- Re: [TLS] Extended random is NSA backdoor Bodo Moeller