Re: [TLS] Extended random is NSA backdoor

Nico Williams <nico@cryptonector.com> Tue, 01 April 2014 02:21 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7328A1A0914 for <tls@ietfa.amsl.com>; Mon, 31 Mar 2014 19:21:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.303
X-Spam-Level:
X-Spam-Status: No, score=0.303 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, RCVD_IN_BL_SPAMCOP_NET=1.347] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CmHVG3fI7f9i for <tls@ietfa.amsl.com>; Mon, 31 Mar 2014 19:21:12 -0700 (PDT)
Received: from homiemail-a29.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id B309E1A090F for <tls@ietf.org>; Mon, 31 Mar 2014 19:21:12 -0700 (PDT)
Received: from homiemail-a29.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a29.g.dreamhost.com (Postfix) with ESMTP id 5063C674059 for <tls@ietf.org>; Mon, 31 Mar 2014 19:21:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=eeDUd9sYYS1o4dr3aO2l CcteLLg=; b=P7hn8N1ampSrL995GS0TknlVBFNZgrIG9jsomPkujKZa6HBklRYX xI3npyVokCyTm6+pTV7Tnff2LY7OuPdpwjLFQc+zug9gIpuCCSRgkeaZq5ukB+MI n65Vc/xeyP5TuRK9kKoTv/D7b2WjbmwbvslZYC/06mhuCUEieq+wc0Y=
Received: from mail-we0-f176.google.com (mail-we0-f176.google.com [74.125.82.176]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a29.g.dreamhost.com (Postfix) with ESMTPSA id 0516D674058 for <tls@ietf.org>; Mon, 31 Mar 2014 19:21:08 -0700 (PDT)
Received: by mail-we0-f176.google.com with SMTP id x48so5638417wes.35 for <tls@ietf.org>; Mon, 31 Mar 2014 19:21:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=vFBfaSkXWvYQL7bd9/uQRYgOywFHGOIS6pZpfNnRrlc=; b=c6P8zz9MnxZnCn1FqD+TJTy9lddZiIxAyhHK0Rj3l+addWFn5YSB1GiiYbJNiR6s/M Gr3gR7uGiVqtxQp8majIRXO2+879/ownrp/0RMZre56f/PYwtd1PnQAUH6MkI8TZqEvd HYY49N24yYhos0zG6Pm0PLZI5TLyxpD1k4sJLBPdbWETYm3+VKhKpE6QEB0BSU7h0wuq nd2O7bSrUG9J5mAnwjSuxpykQXrdJVDU5UC/e5z46HzVROHpkSj2gCgz/9bhLEXO2Qbu 1FUq6ZhZ1TWHYOtsnRBzjLtmyR+wC5o/vtmS50FUwhowu+RG479GrSSeebux22wbDVyU i/Vg==
MIME-Version: 1.0
X-Received: by 10.180.12.147 with SMTP id y19mr12026582wib.39.1396318868008; Mon, 31 Mar 2014 19:21:08 -0700 (PDT)
Received: by 10.217.129.197 with HTTP; Mon, 31 Mar 2014 19:21:07 -0700 (PDT)
In-Reply-To: <533A1B97.5060203@pobox.com>
References: <CACsn0cmOjLDVgHjN00vb7XVTEU2FS9ZP5Rdax1W7sUqVBPQdvA@mail.gmail.com> <CAK3OfOgxPvpOWepVadR0czSH68Y-2AEfpJ9Pfo0MJu83pg8RJA@mail.gmail.com> <533A1B97.5060203@pobox.com>
Date: Mon, 31 Mar 2014 21:21:07 -0500
Message-ID: <CAK3OfOjSRhoSKcFcwnyi3W1hht4_krermbM9Q2_zTyUjp6aosQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Michael D'Errico <mike-list@pobox.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/Nx86KL5i8iqPP-O21t4tCUgPPwM
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Extended random is NSA backdoor
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Apr 2014 02:21:13 -0000

On Mon, Mar 31, 2014 at 8:51 PM, Michael D'Errico <mike-list@pobox.com> wrote:
> Nico Williams wrote:
>> If this is in reference to Dual_EC, well, TLS has always had enough
>> bytes of nonce to exploit the conjectured Dual_EC backdoor (assuming
>> one did not feel forced to send the 32 bits of Unix time, which,
>> indeed, some libraries _don't_).
>
> Would a mitigation be to take 64 bytes of DRBG output, run it through
> SHA-256 and use the result as the 32-byte (client|server) random?

Yes.  You don't need 64 bytes either.  Just 32, or 24 even, would
suffice.  The Dual_EC outputs have structure which is needed in order
to exploit the putative backdoor.  Hashing makes that structure
inaccessible to the attacker.

Nico
--