Re: [TLS] 32 byte randoms in TLS1.3 hello's
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 31 October 2017 20:07 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D027013F689 for <tls@ietfa.amsl.com>; Tue, 31 Oct 2017 13:07:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mfK2J2TvU0x3 for <tls@ietfa.amsl.com>; Tue, 31 Oct 2017 13:07:18 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1072C13F68D for <tls@ietf.org>; Tue, 31 Oct 2017 13:07:09 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id C348DBE8A for <tls@ietf.org>; Tue, 31 Oct 2017 20:07:07 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0BqHy4Ic0Xaz for <tls@ietf.org>; Tue, 31 Oct 2017 20:07:06 +0000 (GMT)
Received: from [10.244.2.100] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id EE4AFBE80 for <tls@ietf.org>; Tue, 31 Oct 2017 20:07:05 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1509480426; bh=i22hMJWvclhxcghdglZ80QRf1FzzVkr29O038q1ZD/4=; h=Subject:References:To:From:Date:In-Reply-To:From; b=nzpDb1KP7jWCvvEfHaE9PNXco1o3ykDfykvTv18YyegPD3tN7L/zEJDFSd+NLmghG WUl/at8XxIMAcywNZUbkwAwiR3eKRwtvjxrBUwOg2GBG8uzh2C2NajhyATMUxBX2x8 kOMPsVU3+WUL5UNyK9G482aDcuvSUfBEUyr+j2Sc=
References: <CAAF6GDcSb3jqirTRW7_Udr4u6QJtFpmFug02pMuX-CjEiyNPfg@mail.gmail.com> <20170726205732.784F41A6CB@ld9781.wdf.sap.corp> <CAAF6GDcQCCeq1JosMTpQrh7MZLG1iN-xcOfsXC0LvSZRx+oQjQ@mail.gmail.com> <046ad800-351b-3a79-3f56-7883f5d9ceea@cs.tcd.ie> <CABcZeBMyY0f9D9VEmkKNkLB2OY3TRG7UO-B48xOrA3JSP5xRkw@mail.gmail.com> <20170727233335.8573013.91860.16216@blackberry.com> <2DB2CA47-5121-4B3E-BE0E-116A76F4870E@ll.mit.edu> <CABcZeBNF3WjY6AKoDY4drB+XjMS9LLZ5DmhR=DFX+-0YtKO71g@mail.gmail.com> <726e6666-8af4-384a-95f7-45cb68a331f7@cs.tcd.ie> <810C31990B57ED40B2062BA10D43FBF501B745D8@XMB116CNC.rim.net> <0698b5f7-3dd7-ee4f-5464-6a7e98a20240@cs.tcd.ie> <810C31990B57ED40B2062BA10D43FBF501B78355@XMB116CNC.rim.net> <C61414C9-D620-46A5-8990-9964E7B273C1@ll.mit.edu>
To: "tls@ietf.org" <tls@ietf.org>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <95f9078a-ab3d-28d4-c2db-34507a022af0@cs.tcd.ie>
Date: Tue, 31 Oct 2017 20:07:05 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <C61414C9-D620-46A5-8990-9964E7B273C1@ll.mit.edu>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="2akDielOWolL1BjOCl02b2TR3FV6h0xR5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/VEBtfesSVF3Q0aWW26Y0apttw4c>
Subject: Re: [TLS] 32 byte randoms in TLS1.3 hello's
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Oct 2017 20:07:21 -0000
Hiya, > Hasn’t this been the whole point of the discussion?! The proposal to > separate PRNGs into those that supply publicly-visible randomness > (nonces, etc), and those that supply “secret” randomness (keying > material and such)? Thus, having *two* PRNGs, each (hopefully) > properly seeded? > > I’m glad you’re now agreeing that the above is a good plan. > This discussion we had back in July was mostly motivated by dual-ec. I think it's worth noting for the record that we now have another instance of a very similar issue. [1] Personally I think this argues for strengthening the text we include in TLS1.3 to a RECOMMENDATION, in the body of the document (as opposed to Appendix C.1 where it is now) to separate the streams of randomness along the lines described above. The basic change would be to move the 2nd paragraph of C.1 to 4.1.2 where Random is defined, maybe to add a reference to DUHK, and to insert a statement that implementers are RECOMMENDED to put in place such separation. (I don't think we need to say how they ought do that, as it's quite OS/RNG- implementation dependent.) I wonder if the new information (i.e. DUHK) convinces folks that such a change is warranted? If so, great. I'd be happy to submit a new PR or we could re-open [2] or whatever. (I'd be just as happy that the editor figure out the precise wording if that's easier.) If not, I don't we need to debate this again, nor do we need to hold up TLS1.3. If the answer to the above isn't clear from the list between now and the IETF meeting it might be worth asking the room about this in Singapore if time permits. Cheers, S. [1] https://duhkattack.com/ [2] https://github.com/tlswg/tls13-spec/pull/1068
- [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Watson Ladd
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Ilari Liusvaara
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Russ Housley
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Peter Gutmann
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Joseph Lorenzo Hall
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Christian Huitema
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Peter Gutmann
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Christian Huitema
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Watson Ladd
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Peter Gutmann
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Martin Rex
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Jeffrey Walton
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Martin Rex
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Martin Rex
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Watson Ladd
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Eric Rescorla
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Eric Rescorla
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Ilari Liusvaara
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Salz, Rich
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Ilari Liusvaara
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Colm MacCárthaigh
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Dan Brown
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] 32 byte randoms in TLS1.3 hello's Stephen Farrell