Re: [TLS] New drafts: adding input to the TLS master secret

Dean Anderson <dean@av8.com> Tue, 09 February 2010 18:21 UTC

Return-Path: <dean@av8.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9DD5328C1D4 for <tls@core3.amsl.com>; Tue, 9 Feb 2010 10:21:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.206
X-Spam-Level:
X-Spam-Status: No, score=-2.206 tagged_above=-999 required=5 tests=[AWL=0.393, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wxgxs93qv0db for <tls@core3.amsl.com>; Tue, 9 Feb 2010 10:21:24 -0800 (PST)
Received: from cirrus.av8.net (cirrus.av8.net [130.105.36.66]) by core3.amsl.com (Postfix) with ESMTP id 757F03A6CED for <tls@ietf.org>; Tue, 9 Feb 2010 10:21:23 -0800 (PST)
Received: from citation2.av8.net (citation2.av8.net [130.105.12.10]) (authenticated bits=0) by cirrus.av8.net (8.12.11/8.12.11) with ESMTP id o19IMSwo018204 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Tue, 9 Feb 2010 13:22:28 -0500
Date: Tue, 09 Feb 2010 13:22:27 -0500
From: Dean Anderson <dean@av8.com>
X-X-Sender: dean@citation2.av8.net
To: Marsh Ray <marsh@extendedsubset.com>
In-Reply-To: <4B70C1D9.5020505@extendedsubset.com>
Message-ID: <Pine.LNX.4.44.1002091230380.17664-100000@citation2.av8.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] New drafts: adding input to the TLS master secret
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Feb 2010 18:21:27 -0000

I agree with Martin Rex, I think a counter should be used instead of a 
random number.

Inline

On Mon, 8 Feb 2010, Marsh Ray wrote:


> To me that does not permit a conforming implementation to "expose an
> essentially unlimited amount of the pseudo-random sequence".
> 
> Any competent implementer would know that they have to keep their
> secure RNG seeded to a reasonable degree.

Actually, secure RNG isn't always an implementer decision, but an
operations option. For example, Apache has an option to turn off the
waiting on the secure random generator.  Otherwise, it hangs until it
gets enough entropy. I suspect there may be a lot of apache sites
without sufficient entropy.

> > From "Handbook of Applied Cryptography" Section 5.1.1 on Pseudo
> > Random Bit Generators:
> > 
> >   "The output of a PRBG is not random; in fact the number of possible
> >   output sequences is at most a small fraction 2^k/2^l, of all possible
> >   binary sequences of length l."
> > 
> > So one can see, as l gets larger with k constant, the fraction of all
> > output sequences gets smaller.  The pre_master_secret is 384 bits and
> > the Random value is presently 256 bits. So the random exposes 40% of the
> > sequence.
> 
> 2^256 / 2^384
> is not anything like 40%. Looks to me like it's about
> 0.00000000000000000000000000000000000003%

You are misreading what I wrote. The number above is the fraction of all
possible sequences of length 384 that can be generated by a PRNG seeded
with 256 bits of entropy. As you note, its a very small fraction.  In
fact, its no more than the original entropy.

However, the 40% referred to:

  640 bits are taken from the PRNG:
     because pre_master_secret (384) + client.random(256) = 640

  256 bits are exposed to the sniffer. 256/640 = .4

So 40% of the sequence bits are exposed to sniffers.  I assume the
sniffer can see every TLS connection.

For LFSR, I /think/ 40% was enough to recover the whole sequence (fact
check, I'm not sure).  So, it might be plausible that this amount might
be enough to recover the pseudo random sequence, too. Particularly if
there isn't suffient entropy in the key to start with.  The 256 bits of
exposed random give an attacker a means to check on the state of the
PRNG.

> You haven't identified an actual weakness, only asserted that there
> could be one.

Yes.  I haven't identified a purely cryptographic weakness. I haven't
found a break in sha256, particularly not if a sufficient amount of key
entropy is used. And if everyone strictly follows total secure practices
on key entropy and there are no sha-1,md5 similar breaks in sha256, then
indeed there is no purely cryptographic problem.

But in practice, there isn't always sufficient entropy for secure RNG.
In that case, there is a crucial exposure of sequence bits that doesn't
need to happen.

If one didn't expose all those bits from the PRNG, there wouldn't be a
break on the PRNG even with less entropy: There would be no way to test
bits from the PRNG to find its state.

I'd say what I've exposed is a design flaw in the way crypto is being
used, not a purely cryptographic weakness.  My assertion comes down to
this: If PRNG bits aren't exposed to sniffers, they can't be exploited
by snifffers. So lets not expose PRNG bits.

> > Why not alter TLS to require a different pseudo-random sequence
> > generator for Random values?
> 
> I didn't design it of course, but I would say it's because the actual
> input entropy is assumed to be finite and by is impossible to measure
> accurately. Dividing it between two separate pools would probably end
> up diluting it in one or the other.

I agree. A counter should be used, not another PRNG.

> For example, many OSes collect and pool entropy in the kernel where it
> can be shared by all applications. This is essentially the opposite of
> your suggestion.

Yes. That is the best of a bad choice, too.  The pool was used because
its hard to collect sufficient entropy. But allowing others to get bits
from the pool opens a way to reduce entropy available and cause servers
to either wait (or proceed without sufficient entropy).  The way TLS is
currently arranged, TLS really screws those who don't have sufficient
entropy all the time. And TLS _might_ still screw those who do.

		--Dean




-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 256 5494