Re: [TLS] Extended random is NSA backdoor

Michael D'Errico <mike-list@pobox.com> Tue, 01 April 2014 01:51 UTC

Return-Path: <mike-list@pobox.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D3A61A6F81 for <tls@ietfa.amsl.com>; Mon, 31 Mar 2014 18:51:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Endl5VMTlSb for <tls@ietfa.amsl.com>; Mon, 31 Mar 2014 18:51:27 -0700 (PDT)
Received: from sasl.smtp.pobox.com (a-pb-sasl-quonix.pobox.com [208.72.237.25]) by ietfa.amsl.com (Postfix) with ESMTP id E344C1A6F20 for <tls@ietf.org>; Mon, 31 Mar 2014 18:51:25 -0700 (PDT)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id DC2FF118BF; Mon, 31 Mar 2014 21:51:21 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=4pUuNEzFvxW+ 5uDHto1cKLYF0BU=; b=chMB4FJu4P/Yhc9ixZc7Af0IJe6WhLDtOnyeM1nFSPYv nGuV8bxPPNLGlgcKWH2uS7EUD4atqJMYPj+s7IfmMRfKaELioQikjBjs6a3+oX8/ XjZuW2oJuBrZuK5Iokf52Ihx1UQ4dIwx37xewPvjX45XvWkSHxhrzJXXIOXWUwk=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=qCGjL/ vgvD+wNAVZnYKafwdve+4iunGU2zcBNXehLxFIzRYT4KgeZqg+GbawCQlKBx3GYz uNLUOhJDzq/V2jEdh7ojb3uAewmPAfNJ7bXuTqJrrQRX8vSA+40rKxRDXs9VKdqS 360DX2IpIGBXErVIftTJ7rw9Dgnp8GAzZ3Ztk=
Received: from a-pb-sasl-quonix.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id D2C20118BE; Mon, 31 Mar 2014 21:51:21 -0400 (EDT)
Received: from iMac.local (unknown [24.234.153.62]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTPSA id CE321118BD; Mon, 31 Mar 2014 21:51:20 -0400 (EDT)
Message-ID: <533A1B97.5060203@pobox.com>
Date: Mon, 31 Mar 2014 18:51:19 -0700
From: Michael D'Errico <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Nico Williams <nico@cryptonector.com>
References: <CACsn0cmOjLDVgHjN00vb7XVTEU2FS9ZP5Rdax1W7sUqVBPQdvA@mail.gmail.com> <CAK3OfOgxPvpOWepVadR0czSH68Y-2AEfpJ9Pfo0MJu83pg8RJA@mail.gmail.com>
In-Reply-To: <CAK3OfOgxPvpOWepVadR0czSH68Y-2AEfpJ9Pfo0MJu83pg8RJA@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: 1FA50EBC-B940-11E3-BA69-873F0E5B5709-38729857!a-pb-sasl-quonix.pobox.com
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/N3W9zi_zEtPiHUclnzFRZDOX9yc
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Extended random is NSA backdoor
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Apr 2014 01:51:28 -0000

Nico Williams wrote:
> If this is in reference to Dual_EC, well, TLS has always had enough
> bytes of nonce to exploit the conjectured Dual_EC backdoor (assuming
> one did not feel forced to send the 32 bits of Unix time, which,
> indeed, some libraries _don't_).

Would a mitigation be to take 64 bytes of DRBG output, run it through
SHA-256 and use the result as the 32-byte (client|server) random?

Mike