Re: [TLS] RNG vs. PRNG
Marsh Ray <marsh@extendedsubset.com> Tue, 27 April 2010 17:19 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9E92A3A6B74 for <tls@core3.amsl.com>; Tue, 27 Apr 2010 10:19:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.319
X-Spam-Level:
X-Spam-Status: No, score=-0.319 tagged_above=-999 required=5 tests=[AWL=-0.320, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RsAs14YLe++u for <tls@core3.amsl.com>; Tue, 27 Apr 2010 10:19:29 -0700 (PDT)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id 74D4A3A6A11 for <tls@ietf.org>; Tue, 27 Apr 2010 10:19:24 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1O6oRD-0001fo-JN; Tue, 27 Apr 2010 17:19:11 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 35CF760B6; Tue, 27 Apr 2010 17:19:10 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX19NXXDp5kCc79eWQcpjHeKa8tE2zDDvpoo=
Message-ID: <4BD71C8D.4050409@extendedsubset.com>
Date: Tue, 27 Apr 2010 12:19:09 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100216 Thunderbird/3.0.2
MIME-Version: 1.0
To: Michael D'Errico <mike-list@pobox.com>
References: <Pine.LNX.4.44.1004261355330.14419-100000@citation2.av8.net> <4BD5E3BD.2030605@extendedsubset.com> <4BD5EDB5.50409@pobox.com> <4BD60329.3030403@extendedsubset.com> <4BD6359C.7070008@pobox.com>
In-Reply-To: <4BD6359C.7070008@pobox.com>
X-Enigmail-Version: 1.0.1
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] RNG vs. PRNG
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Apr 2010 17:19:35 -0000
On 4/26/2010 7:53 PM, Michael D'Errico wrote: > Here are all the places within my code that generate random values > and whether they are purely random or pseudo-random (via a CPRNG): I can't find a definition of 'CPRNG'. I suspect we may be in agreement but for use of the terminology. > RNG generate RSA premaster secrets RNG generate encryption key > and HMAC secret used for session ticket protection > > CPRNG generate (part of) session IDs CPRNG generate initialization > vectors > > CPRNG generate hello random values CPRNG generate random premaster > secret in server (as part of defense against Bleichenbacher attack > and version rollback detection) > > These last two are debatable. Marsh would have the hello randoms be > purely random, not just unpredictable, and the OpenSSL > implementation uses a CPRNG for the last one, but has a note that it > /should/ use an RNG. > > IANAC, but wonder why the hello randoms would need to be purely > random, versus just unpredictable, since they go over the wire in the > clear? > > Also, does anyone know why the random premaster secret should be > generated with a real RNG versus a CPRNG? I read the spec as having two types of number generation sequences for TLS implementations: 1. The pseudo-random function 'PRF'. This gets initialized/seeded with arbitrary data, but then produces a deterministic sequence. 2. A cryptographic quality random number generator. Every bit output represents one bit of entropy to an attacker on the network. This is a nondeterministic sequence from the perspective of everyone outside the implementation itself, which is not to say that there can be no deterministic methods used in the generation of the sequence. Because real hardware entropy sources are typically bandwidth-limited, typically a sufficient real hardware entropy (say hundreds or thousands of bits) will be accumulated and used to initialize the generator state. The generator state is secret, at least as large as the needed initialization entropy, and is advanced as output is extracted. The use of real hardware entropy reduces the attacker to just that much brute force guessing in attempts to find the initial state. Using hundreds of bits of real hardware entropy makes this impractical. The random number sequence is extracted from the state using secure one-way functions such that the observer cannot work backwards to learn anything about the state from the generated sequence. In this way, a limited-but-sufficient amount of real hardware entropy can be expanded to arbitrary length-sequences without concern for "entropy depletion". This assumes the chosen one-way function works as designed, or at least any weaknesses don't affect this usage: KELS98: > We will treat MD5 as a random function. While there have been > interesting cryptanalytic results on MD5 in the last several years, > none of them offer an obvious way to attack the RSAREF PRNG. > > [KELS98] John Kelsey, Bruce Schneier, David Wagner, Chris Hall, > Cryptanalytic Attacks on Pseudorandom Number Generators, March 1998, > available from <http://www.schneier.com/paper-prngs.html>. As an example, initialize an AES-256 block cipher with a perfectly random 256 bit key. Encrypt successive counter values starting with 0 ("CTR mode") to obtain the random output in blocks. Any method by which one can predict or otherwise distinguish this output stream from "purely random bits" with less than 2**256 work represents a weakness in AES-256. If you're using AES-256 for your TLS cipher, and the attacker knows a weakness in it, then you might have bigger problems than the quality of your RNG. - Marsh
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Martin Rex
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Paul Hoffman
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Simon Josefsson
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Martin Rex
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Russ Housley
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Paul Hoffman
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Martin Rex
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Martin Rex
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Marsh Ray
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Paul Hoffman
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Simon Josefsson
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Simon Josefsson
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Nicolas Williams
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Marsh Ray
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Nicolas Williams
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Martin Rex
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Dean Anderson
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Marsh Ray
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Michael D'Errico
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Dean Anderson
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Nicolas Williams
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Kemp, David P.
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Marsh Ray
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Nicolas Williams
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Marsh Ray
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Nicolas Williams
- [TLS] RNG vs. PRNG Michael D'Errico
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Dean Anderson
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Dean Anderson
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Kemp, David P.
- Re: [TLS] RNG vs. PRNG Marsh Ray
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Nicolas Williams
- Re: [TLS] RNG vs. PRNG Martin Rex
- Re: [TLS] RNG vs. PRNG Martin Rex
- Re: [TLS] RNG vs. PRNG Marsh Ray
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Dean Anderson
- Re: [TLS] Last Call: draft-hoffman-tls-additional… Sean Turner