IETF Logo Mail Archive

[TLS] More hello entropy? (was: PR 508: Move downgrade sentinel to end)

Dave Garrett <davemgarrett@gmail.com> Mon, 04 July 2016 01:22 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6892F12D1B2 for <tls@ietfa.amsl.com>; Sun, 3 Jul 2016 18:22:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B_SJGQlFplpU for <tls@ietfa.amsl.com>; Sun, 3 Jul 2016 18:22:30 -0700 (PDT)
Received: from mail-qk0-x22d.google.com (mail-qk0-x22d.google.com [IPv6:2607:f8b0:400d:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77E2F12D1AD for <tls@ietf.org>; Sun, 3 Jul 2016 18:22:30 -0700 (PDT)
Received: by mail-qk0-x22d.google.com with SMTP id e3so53716364qkd.0 for <tls@ietf.org>; Sun, 03 Jul 2016 18:22:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:references:in-reply-to:cc :mime-version:content-transfer-encoding:message-id; bh=1NhArcsenCV/nzfpJWNSSquutI7o3GeaqOLT+Fj4mo0=; b=Hi8vK2bXlgRDGIGMzYSKWg4HcFX4wlz57ZcHTodNVf3DHl6L5RvriVuBJnSrUXUvCA yXfEmj+BGM5W6sYiFwlAs5VnS1H4kJGu0uGCE8cBBBCiR5DTZoaTDm5E/JnOtZn8imYK 0XcdAdF6Qo8jI967ldmcC0yAR/6fSWVopGseDrj+HNe267/nBaOwhvmEWlo5ObQm8kRO JAK5n1rB0Qw4gQbZn1n4thdij5tQt5gJz9j2bjokO7KtlxdPHdQ8NlFeKzVrRQUiHbNv zqGJuZ7Z1WyNso79J4EPMvVbBSxYDsUi58f3geYuXTHUCYZ8dkXPtf7IbAtBSrheoqJY P72g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:user-agent:references :in-reply-to:cc:mime-version:content-transfer-encoding:message-id; bh=1NhArcsenCV/nzfpJWNSSquutI7o3GeaqOLT+Fj4mo0=; b=VBetdTUozGL8MxMcaQyxuggpkWc1zBUTdvL9gRplv+KmsfisFK+j9ygOzN4P1aoM9l e7AW5DIAb8etk5sNIKMcaI3LfWmqO6bgDljiCUtSSTB0z++i7z026e05kw6uVx5sTzWU ksqqCpwMWCQoIi4MCuBWvrNFXWSqr0VxcupW9xzU7EZzUq03T28N3fAxmR7PPeGxYuLg scP2YYr/j2dRbdVsY6YhWkozD0cjWuWrI75rq6IYjq5Hni0MiF/osfc3DxP96dZTxe15 J8bO/PQRgTRE3xSOdYX8ktXP4Lcepw5L2hwbM6vYr2Gags8+PIi0A0GatKEX9qPNL7D7 7KyQ==
X-Gm-Message-State: ALyK8tKZ5rHRSZ5vlH+Qu3T8pwqdX0okgHuCx7P4DvhuvUrTyssEd8JFY5KkF6xudjp4Tw==
X-Received: by 10.55.3.18 with SMTP id 18mr13163803qkd.154.1467595349672; Sun, 03 Jul 2016 18:22:29 -0700 (PDT)
Received: from dave-laptop.localnet (pool-71-185-27-22.phlapa.fios.verizon.net. [71.185.27.22]) by smtp.gmail.com with ESMTPSA id o2sm2010894qkd.0.2016.07.03.18.22.28 (version=TLS1 cipher=AES128-SHA bits=128/128); Sun, 03 Jul 2016 18:22:29 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org
Date: Sun, 03 Jul 2016 21:22:27 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <CABcZeBOzh8Pc1+z6U5kajhibg08rnWrCygjGJe4TnBL377JEoQ@mail.gmail.com>
In-Reply-To: <CABcZeBOzh8Pc1+z6U5kajhibg08rnWrCygjGJe4TnBL377JEoQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <201607032122.28045.davemgarrett@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/SCDO5zZXtHt578EDCmKRg5OQ5w0>
Subject: [TLS] More hello entropy? (was: PR 508: Move downgrade sentinel to end)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Jul 2016 01:22:32 -0000

On Sunday, July 03, 2016 07:02:05 pm Eric Rescorla wrote:
> This seems reasonable, as the
> only real argument against is that conformant TLS 1.3 servers will have
> only 20 bytes of entropy when doing TLS 1.2 compat (if they put the time in
> the top 32 bytes), as opposed to 24 if they randomize the first 32 bytes.

to correct the typo: 32 bits / 4 bytes; total size of random is 32 bytes / 256 bits

> OTOH, those bytes will be more unique over time (because they are
> guaranteed not to repeat for a very long time after the second has passed),
> so intuitively this seems like a wash.

Under the "Reevaluate handshake contents" part of the current TLS WG charter [0], we have the question: "Are bigger randoms required?". Did the WG ever fully discuss this and come to a decision? Adding a supplemental entropy extension would be trivial, if we wanted to do so. (I see there was consideration of doing so a while ago [1].) Amending the TLS 1.3 spec to add it as a requirement would be easy, but would it be useful? If we want to allow 2 hacks in the current random value that reduce the entropy, then adding some entropy back in an extension makes some sense.

(If this was already settled at some point, please just point me to wherever that was. I might've just forgotten. ;)


Dave


[0] https://datatracker.ietf.org/wg/tls/charter/
[1] https://tools.ietf.org/html/draft-rescorla-tls-extended-random-02

v2.23.0 | Report a Bug | By Email