Re: [TLS] 32 byte randoms in TLS1.3 hello's
Colm MacCárthaigh <colm@allcosts.net> Mon, 24 July 2017 17:09 UTC
Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38438126C0F for <tls@ietfa.amsl.com>; Mon, 24 Jul 2017 10:09:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E7rv65tds2x8 for <tls@ietfa.amsl.com>; Mon, 24 Jul 2017 10:09:35 -0700 (PDT)
Received: from mail-yw0-x230.google.com (mail-yw0-x230.google.com [IPv6:2607:f8b0:4002:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B78F1241FC for <tls@ietf.org>; Mon, 24 Jul 2017 10:09:35 -0700 (PDT)
Received: by mail-yw0-x230.google.com with SMTP id x125so53188082ywa.0 for <tls@ietf.org>; Mon, 24 Jul 2017 10:09:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=R1fIQtkjnYAAmII8a6BVM17l2S8RvXWoQBJRZwYtmY4=; b=r1CFPa4pHSP3JmWih2DblSKn+3U5yDJIoaMEyBwIXJzM3eHBrxPw+Tro/uAC2KLfSQ 6u95puy8y/R6Kkc2CCE+AK3LOo/mYkcyo9B0IQWzHMGBn10PVAdqMmxyGinM4JFPcUqJ Z9kh2h0+mtcJNVcvKJlINnXNSNhyuCTPzfZ1vTxEe5lBqghD6JRRXHQS5p1PgM7NpcTB x2ZFTda8mXxhy6/dZ50qtlqxesKxfKMs+ubG+TR8MN/fMHisYQvk9Q7g0IaXoyABoWm3 yQIgNROER4jhEJk5h8FKg73n1rhd04qhEeoWqOR7wBJDprl2SYpOVfacFm/xyl8VvLqy wbAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=R1fIQtkjnYAAmII8a6BVM17l2S8RvXWoQBJRZwYtmY4=; b=AdAS+5qEvSnWKI9ZYh+itkRmYx4m/1nCJ9aBQBjjBdmj3ZXQOsk8MAtwudah5jH64t kEbyewwDqa6J5tawpKVgUYCyP2TExUWZ3oIm36sXI0cs3hXE/vr931P4EaVXXnBvdUmZ 5H198FkboKIHIlNT+X6uEsab+5LszZx0dmjJ9mS4XDAn1hn0ycHkVMJUo2h6lt6A5BK3 t/GK91CZ61Xl6Y72ZqSrS/oihjbDt05WqU21gPoRqFAmm089lhVP5j0lm8H5qrdMjw5l PyX2lbUPh1OfonyzWZHxCyCz0jbysYo2yKNCzkEYU8d7DGwArYB1ZXqr7saf5mgqOk7g 1j7g==
X-Gm-Message-State: AIVw110va8OHnxY66faHaSBfMYOpDZSxR606bxMlXONb/Q/ybhHtUHoe wIO1bNnN0djwsbN64jBLhQh8AGDGxdQT
X-Received: by 10.13.214.203 with SMTP id y194mr13665073ywd.409.1500916174557; Mon, 24 Jul 2017 10:09:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.154.71 with HTTP; Mon, 24 Jul 2017 10:09:34 -0700 (PDT)
In-Reply-To: <67679ecc-1043-a70a-6d57-8807f78e1afa@cs.tcd.ie>
References: <67679ecc-1043-a70a-6d57-8807f78e1afa@cs.tcd.ie>
From: Colm MacCárthaigh <colm@allcosts.net>
Date: Mon, 24 Jul 2017 10:09:34 -0700
Message-ID: <CAAF6GDejyu7+ApbG-drMOSW3M=nc1MJJeA45O40RDbEedk15kA@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c076d526c740d05551347d0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Tjh-qHA9ys0LJtBqW_3UOZIEhl4>
Subject: Re: [TLS] 32 byte randoms in TLS1.3 hello's
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jul 2017 17:09:37 -0000
On Mon, Jul 24, 2017 at 8:15 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > Now if some TLS1.3 deployment were affected by a dual-ec > attack, it'd seem like the -21 version of Random might be > even better than the TLS1.2 version, for the attacker. > I think the fix for this is really at the application level; if you want defense-in-depth against PRNG problems, it's probably best to use separate RNG instances for public data (e.g. client_random, server_random, explicit_IV) and for secret data (keys) so that a leak in the public data doesn't compromise the private one. We do this in s2n, and I think BouncyCastle does it too. A protocol level fix probably isn't as helpful because the attacker can make more connections and collect more data to derive more and more information about the RNG state anyway. -- Colm
- [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Watson Ladd
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Ilari Liusvaara
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Russ Housley
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Peter Gutmann
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Joseph Lorenzo Hall
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Christian Huitema
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Peter Gutmann
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Christian Huitema
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Watson Ladd
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Peter Gutmann
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Martin Rex
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Jeffrey Walton
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Martin Rex
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Martin Rex
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Watson Ladd
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Eric Rescorla
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Eric Rescorla
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Ilari Liusvaara
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Salz, Rich
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Ilari Liusvaara
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell