IETF Logo Mail Archive

Re: [TLS] 32 byte randoms in TLS1.3 hello's

Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 25 July 2017 23:57 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A590132101 for <tls@ietfa.amsl.com>; Tue, 25 Jul 2017 16:57:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Aql36gu5bFAN for <tls@ietfa.amsl.com>; Tue, 25 Jul 2017 16:57:25 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 640B51320FE for <tls@ietf.org>; Tue, 25 Jul 2017 16:57:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1501027045; x=1532563045; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=xzQ5FhFHNqgFv58ETe/QzGIzdFHHmkTbldcYJLVbOhE=; b=YKdfNrPbqmmDZOwfKeBE99uqMCiOUglisUWnRfcr3/YAW6xVz0uT8lUO DL/5ZF9MSdMRagpzP0D/XH/cdgBms4arXJfGNBz3sEhoVZKyZsWEbl//7 0e5kt9jqY1Veul+lgm+9C+pqALOUTJihYSYf96Psz656OYZaihGJuQ/pL Hl8us3M9DucyrfPlclHbetIGOPQdrrOhYGQXyJFzyQcXfBX2Iv31+EEGt USsRCGEtt5nE3iTNN8VhUjQRT7Pcs/5rKd4tJ2nAVcCgw5yBxSUO2PHu1 edmR6zNb3BzR7NGG1mBhLPXU3NMIHi8FS4FC7A9YuViAp4FwVW4yBliAC g==;
X-IronPort-AV: E=Sophos;i="5.40,413,1496059200"; d="scan'208";a="168244427"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.3.2 - Outgoing - Outgoing
Received: from exchangemx.uoa.auckland.ac.nz (HELO uxcn13-tdc-a.UoA.auckland.ac.nz) ([10.6.3.2]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 26 Jul 2017 11:57:22 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-a.UoA.auckland.ac.nz (10.6.3.22) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Wed, 26 Jul 2017 11:57:16 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1263.000; Wed, 26 Jul 2017 11:57:16 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Christian Huitema <huitema@huitema.net>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] 32 byte randoms in TLS1.3 hello's
Thread-Index: AQHTBI+2hSpUAt7/bkebxZ5uN/u91aJibPQAgAF9Cgj//8R0AIAAcHmAgAEbOYA=
Date: Tue, 25 Jul 2017 23:57:16 +0000
Message-ID: <1501027031926.45701@cs.auckland.ac.nz>
References: <67679ecc-1043-a70a-6d57-8807f78e1afa@cs.tcd.ie> <CAAF6GDejyu7+ApbG-drMOSW3M=nc1MJJeA45O40RDbEedk15kA@mail.gmail.com> <1500954833319.1033@cs.auckland.ac.nz> <f328d15e-6eed-e257-5cc3-51e9af2f4bfe@cs.tcd.ie>, <2467f973-392a-f579-8b2f-e7cc5332fc49@huitema.net>
In-Reply-To: <2467f973-392a-f579-8b2f-e7cc5332fc49@huitema.net>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/YExgODAveCpzwg-NsVi0snlyiqQ>
Subject: Re: [TLS] 32 byte randoms in TLS1.3 hello's
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jul 2017 23:57:28 -0000

Christian Huitema <huitema@huitema.net> writes:

>For one thing, it conflicts with the general advice that developers should
>not invent their own PRNG, 

You're not inventing your own PRNG, you're using the TLS PRF, or some
equivalent (I use PBKDF2, HKDF is also nice).

>and should use a good crypto RNG when available.

You're generating public nonces, you could use SHA-1 in a loop or a CRC32 or
whatever, the values are public.  All you're doing is isolating the output of
the nonce generator from your crypto-key generator.  In fact the very thing
you absolutely don't want to use here is your good crypto RNG.

>Also, when we make such a recommendation in the TLS spec, we can hope that it
>will be heeded by the TLS developers, but what about the developers of
>applications and protocols sitting on top of TLS, such DTLS, QUIC or HTTP?

They don't need to know or care about this, it's being used to generate the
TLS nonce which is invisible to anything running over TLS.

Are we talking about the same thing here?

Peter.

v2.23.0 | Report a Bug | By Email