IETF Logo Mail Archive

Re: [TLS] 32 byte randoms in TLS1.3 hello's

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 31 October 2017 20:07 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D027013F689 for <tls@ietfa.amsl.com>; Tue, 31 Oct 2017 13:07:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mfK2J2TvU0x3 for <tls@ietfa.amsl.com>; Tue, 31 Oct 2017 13:07:18 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1072C13F68D for <tls@ietf.org>; Tue, 31 Oct 2017 13:07:09 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id C348DBE8A for <tls@ietf.org>; Tue, 31 Oct 2017 20:07:07 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0BqHy4Ic0Xaz for <tls@ietf.org>; Tue, 31 Oct 2017 20:07:06 +0000 (GMT)
Received: from [10.244.2.100] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id EE4AFBE80 for <tls@ietf.org>; Tue, 31 Oct 2017 20:07:05 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1509480426; bh=i22hMJWvclhxcghdglZ80QRf1FzzVkr29O038q1ZD/4=; h=Subject:References:To:From:Date:In-Reply-To:From; b=nzpDb1KP7jWCvvEfHaE9PNXco1o3ykDfykvTv18YyegPD3tN7L/zEJDFSd+NLmghG WUl/at8XxIMAcywNZUbkwAwiR3eKRwtvjxrBUwOg2GBG8uzh2C2NajhyATMUxBX2x8 kOMPsVU3+WUL5UNyK9G482aDcuvSUfBEUyr+j2Sc=
References: <CAAF6GDcSb3jqirTRW7_Udr4u6QJtFpmFug02pMuX-CjEiyNPfg@mail.gmail.com> <20170726205732.784F41A6CB@ld9781.wdf.sap.corp> <CAAF6GDcQCCeq1JosMTpQrh7MZLG1iN-xcOfsXC0LvSZRx+oQjQ@mail.gmail.com> <046ad800-351b-3a79-3f56-7883f5d9ceea@cs.tcd.ie> <CABcZeBMyY0f9D9VEmkKNkLB2OY3TRG7UO-B48xOrA3JSP5xRkw@mail.gmail.com> <20170727233335.8573013.91860.16216@blackberry.com> <2DB2CA47-5121-4B3E-BE0E-116A76F4870E@ll.mit.edu> <CABcZeBNF3WjY6AKoDY4drB+XjMS9LLZ5DmhR=DFX+-0YtKO71g@mail.gmail.com> <726e6666-8af4-384a-95f7-45cb68a331f7@cs.tcd.ie> <810C31990B57ED40B2062BA10D43FBF501B745D8@XMB116CNC.rim.net> <0698b5f7-3dd7-ee4f-5464-6a7e98a20240@cs.tcd.ie> <810C31990B57ED40B2062BA10D43FBF501B78355@XMB116CNC.rim.net> <C61414C9-D620-46A5-8990-9964E7B273C1@ll.mit.edu>
To: "tls@ietf.org" <tls@ietf.org>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <95f9078a-ab3d-28d4-c2db-34507a022af0@cs.tcd.ie>
Date: Tue, 31 Oct 2017 20:07:05 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <C61414C9-D620-46A5-8990-9964E7B273C1@ll.mit.edu>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="2akDielOWolL1BjOCl02b2TR3FV6h0xR5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/VEBtfesSVF3Q0aWW26Y0apttw4c>
Subject: Re: [TLS] 32 byte randoms in TLS1.3 hello's
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Oct 2017 20:07:21 -0000

Hiya,

> Hasn’t this been the whole point of the discussion?! The proposal to
> separate PRNGs into those that supply publicly-visible randomness
> (nonces, etc), and those that supply “secret” randomness (keying
> material and such)? Thus, having *two* PRNGs, each (hopefully)
> properly seeded?
> 
> I’m glad you’re now agreeing that the above is a good plan.
> 

This discussion we had back in July was mostly motivated
by dual-ec. I think it's worth noting for the record that
we now have another instance of a very similar issue. [1]

Personally I think this argues for strengthening the text
we include in TLS1.3 to a RECOMMENDATION, in the body of
the document (as opposed to Appendix C.1 where it is now)
to separate the streams of randomness along the lines
described above.

The basic change would be to move the 2nd paragraph of C.1
to 4.1.2 where Random is defined, maybe to add a reference
to DUHK, and to insert a statement that implementers are
RECOMMENDED to put in place such separation. (I don't think
we need to say how they ought do that, as it's quite OS/RNG-
implementation dependent.)

I wonder if the new information (i.e. DUHK) convinces folks
that such a change is warranted?

If so, great. I'd be happy to submit a new PR or we could
re-open [2] or whatever. (I'd be just as happy that the
editor figure out the precise wording if that's easier.)

If not, I don't we need to debate this again, nor do we need
to hold up TLS1.3.

If the answer to the above isn't clear from the list between
now and the IETF meeting it might be worth asking the room
about this in Singapore if time permits.

Cheers,
S.

[1] https://duhkattack.com/
[2] https://github.com/tlswg/tls13-spec/pull/1068

v2.23.0 | Report a Bug | By Email