Re: [TLS] New drafts: adding input to the TLS master secret
Dean Anderson <dean@av8.com> Tue, 09 February 2010 18:21 UTC
Return-Path: <dean@av8.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9DD5328C1D4 for <tls@core3.amsl.com>; Tue, 9 Feb 2010 10:21:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.206
X-Spam-Level:
X-Spam-Status: No, score=-2.206 tagged_above=-999 required=5 tests=[AWL=0.393, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wxgxs93qv0db for <tls@core3.amsl.com>; Tue, 9 Feb 2010 10:21:24 -0800 (PST)
Received: from cirrus.av8.net (cirrus.av8.net [130.105.36.66]) by core3.amsl.com (Postfix) with ESMTP id 757F03A6CED for <tls@ietf.org>; Tue, 9 Feb 2010 10:21:23 -0800 (PST)
Received: from citation2.av8.net (citation2.av8.net [130.105.12.10]) (authenticated bits=0) by cirrus.av8.net (8.12.11/8.12.11) with ESMTP id o19IMSwo018204 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Tue, 9 Feb 2010 13:22:28 -0500
Date: Tue, 09 Feb 2010 13:22:27 -0500
From: Dean Anderson <dean@av8.com>
X-X-Sender: dean@citation2.av8.net
To: Marsh Ray <marsh@extendedsubset.com>
In-Reply-To: <4B70C1D9.5020505@extendedsubset.com>
Message-ID: <Pine.LNX.4.44.1002091230380.17664-100000@citation2.av8.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] New drafts: adding input to the TLS master secret
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Feb 2010 18:21:27 -0000
I agree with Martin Rex, I think a counter should be used instead of a random number. Inline On Mon, 8 Feb 2010, Marsh Ray wrote: > To me that does not permit a conforming implementation to "expose an > essentially unlimited amount of the pseudo-random sequence". > > Any competent implementer would know that they have to keep their > secure RNG seeded to a reasonable degree. Actually, secure RNG isn't always an implementer decision, but an operations option. For example, Apache has an option to turn off the waiting on the secure random generator. Otherwise, it hangs until it gets enough entropy. I suspect there may be a lot of apache sites without sufficient entropy. > > From "Handbook of Applied Cryptography" Section 5.1.1 on Pseudo > > Random Bit Generators: > > > > "The output of a PRBG is not random; in fact the number of possible > > output sequences is at most a small fraction 2^k/2^l, of all possible > > binary sequences of length l." > > > > So one can see, as l gets larger with k constant, the fraction of all > > output sequences gets smaller. The pre_master_secret is 384 bits and > > the Random value is presently 256 bits. So the random exposes 40% of the > > sequence. > > 2^256 / 2^384 > is not anything like 40%. Looks to me like it's about > 0.00000000000000000000000000000000000003% You are misreading what I wrote. The number above is the fraction of all possible sequences of length 384 that can be generated by a PRNG seeded with 256 bits of entropy. As you note, its a very small fraction. In fact, its no more than the original entropy. However, the 40% referred to: 640 bits are taken from the PRNG: because pre_master_secret (384) + client.random(256) = 640 256 bits are exposed to the sniffer. 256/640 = .4 So 40% of the sequence bits are exposed to sniffers. I assume the sniffer can see every TLS connection. For LFSR, I /think/ 40% was enough to recover the whole sequence (fact check, I'm not sure). So, it might be plausible that this amount might be enough to recover the pseudo random sequence, too. Particularly if there isn't suffient entropy in the key to start with. The 256 bits of exposed random give an attacker a means to check on the state of the PRNG. > You haven't identified an actual weakness, only asserted that there > could be one. Yes. I haven't identified a purely cryptographic weakness. I haven't found a break in sha256, particularly not if a sufficient amount of key entropy is used. And if everyone strictly follows total secure practices on key entropy and there are no sha-1,md5 similar breaks in sha256, then indeed there is no purely cryptographic problem. But in practice, there isn't always sufficient entropy for secure RNG. In that case, there is a crucial exposure of sequence bits that doesn't need to happen. If one didn't expose all those bits from the PRNG, there wouldn't be a break on the PRNG even with less entropy: There would be no way to test bits from the PRNG to find its state. I'd say what I've exposed is a design flaw in the way crypto is being used, not a purely cryptographic weakness. My assertion comes down to this: If PRNG bits aren't exposed to sniffers, they can't be exploited by snifffers. So lets not expose PRNG bits. > > Why not alter TLS to require a different pseudo-random sequence > > generator for Random values? > > I didn't design it of course, but I would say it's because the actual > input entropy is assumed to be finite and by is impossible to measure > accurately. Dividing it between two separate pools would probably end > up diluting it in one or the other. I agree. A counter should be used, not another PRNG. > For example, many OSes collect and pool entropy in the kernel where it > can be shared by all applications. This is essentially the opposite of > your suggestion. Yes. That is the best of a bad choice, too. The pool was used because its hard to collect sufficient entropy. But allowing others to get bits from the pool opens a way to reduce entropy available and cause servers to either wait (or proceed without sufficient entropy). The way TLS is currently arranged, TLS really screws those who don't have sufficient entropy all the time. And TLS _might_ still screw those who do. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 256 5494
- Re: [TLS] New drafts: adding input to the TLS mas… Stefan Santesson
- [TLS] New drafts: adding input to the TLS master … Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Dean Anderson
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Simon Josefsson
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Simon Josefsson
- Re: [TLS] New drafts: adding input to the TLS mas… Brian Smith
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Brian Smith
- Re: [TLS] New drafts: adding input to the TLS mas… Martin Rex
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Marsh Ray
- Re: [TLS] New drafts: adding input to the TLS mas… Martin Rex
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Marsh Ray
- Re: [TLS] New drafts: adding input to the TLS mas… Martin Rex
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Marsh Ray
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Bill Frantz
- Re: [TLS] New drafts: adding input to the TLS mas… Marsh Ray
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Marsh Ray
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Eric Rescorla
- Re: [TLS] New drafts: adding input to the TLS mas… Dean Anderson
- Re: [TLS] New drafts: adding input to the TLS mas… Eric Rescorla
- Re: [TLS] New drafts: adding input to the TLS mas… Dean Anderson
- Re: [TLS] New drafts: adding input to the TLS mas… Jeffrey A. Williams
- Re: [TLS] New drafts: adding input to the TLS mas… Eric Rescorla
- Re: [TLS] New drafts: adding input to the TLS mas… Eric Rescorla
- Re: [TLS] New drafts: adding input to the TLS mas… Martin Rex
- Re: [TLS] New drafts: adding input to the TLS mas… Dean Anderson
- Re: [TLS] New drafts: adding input to the TLS mas… Dean Anderson
- Re: [TLS] New drafts: adding input to the TLS mas… Marsh Ray
- Re: [TLS] New drafts: adding input to the TLS mas… Eric Rescorla
- Re: [TLS] New drafts: adding input to the TLS mas… Eric Rescorla
- Re: [TLS] New drafts: adding input to the TLS mas… Eric Rescorla
- Re: [TLS] New drafts: adding input to the TLS mas… Martin Rex
- Re: [TLS] New drafts: adding input to the TLS mas… Eric Rescorla
- Re: [TLS] New drafts: adding input to the TLS mas… Marsh Ray
- Re: [TLS] New drafts: adding input to the TLS mas… Dean Anderson
- Re: [TLS] New drafts: adding input to the TLS mas… Marsh Ray
- Re: [TLS] New drafts: adding input to the TLS mas… Dean Anderson
- Re: [TLS] New drafts: adding input to the TLS mas… Martin Rex
- Re: [TLS] New drafts: adding input to the TLS mas… James Manger