Re: [TLS] Extended random is NSA backdoor

Bodo Moeller <bmoeller@acm.org> Tue, 01 April 2014 14:15 UTC

Return-Path: <SRS0=ykDZ=ZB=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EBF51A0737 for <tls@ietfa.amsl.com>; Tue, 1 Apr 2014 07:15:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.939
X-Spam-Level:
X-Spam-Status: No, score=-0.939 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HsNXOjzIba07 for <tls@ietfa.amsl.com>; Tue, 1 Apr 2014 07:14:59 -0700 (PDT)
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by ietfa.amsl.com (Postfix) with ESMTP id 3E9131A06BE for <tls@ietf.org>; Tue, 1 Apr 2014 07:14:59 -0700 (PDT)
Received: from mail-yk0-f169.google.com (mail-yk0-f169.google.com [209.85.160.169]) by mrelayeu.kundenserver.de (node=mreue006) with ESMTP (Nemesis) id 0MZbAH-1Wlgpc3lJF-00LHCo; Tue, 01 Apr 2014 16:14:54 +0200
Received: by mail-yk0-f169.google.com with SMTP id 142so7611905ykq.0 for <tls@ietf.org>; Tue, 01 Apr 2014 07:14:52 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=VHhq4MHVQVN3speYE3AdjZgkA+6Y6MUHGj68NEqX4go=; b=LDBt09zGeUnCX7kHSGPru+AqLNUhVVn0IcRZX9VGKAprpLFS/UTOxeorhR3vRGZ+B9 pJTk/AjHNTGRkjWrD9g2qhXANqRowaLjdwiTFDEvyoqfR0bA2Z6NOoKblvV3tUkOMpJZ fCtkZB/7UyOe/d8ZYttlMjHeBRezIQWeSBnpLh+VG8SIJ5T78ZlpsdtGD6A2vBIpP9Zk 3lvRoAT4wLtBKf4L+O2zLiBMIHN/yZ7RkhgPCrGm3/ML7mDptx7eY2Nyhtyiee6NAt7i ZVSBeYSuYr9jR8CcmsSrEmUJRz2ZQdKziY5UJYd644fbbeAtGQ93e4dgLSxztbolT3dj wuWw==
MIME-Version: 1.0
X-Received: by 10.236.166.169 with SMTP id g29mr3494579yhl.135.1396361692920; Tue, 01 Apr 2014 07:14:52 -0700 (PDT)
Received: by 10.170.78.5 with HTTP; Tue, 1 Apr 2014 07:14:52 -0700 (PDT)
In-Reply-To: <4564B6F0-EAE8-457F-8698-ED929F4DDA01@pahtak.org>
References: <CACsn0cmOjLDVgHjN00vb7XVTEU2FS9ZP5Rdax1W7sUqVBPQdvA@mail.gmail.com> <53397B6F.9050806@mykolab.com> <CAL9PXLzuwKCZ2MhLUMviTW-aV19Zm-m=4mVEcmKkFUtHm6sPKQ@mail.gmail.com> <53397E0C.9000504@mykolab.com> <CA+cU71mbBs_ER31abZ1nP1FtVAwREMvRwpPmcLaSYZiXhqUPGg@mail.gmail.com> <53397F7C.2060603@mykolab.com> <53398AB3.9090102@gmail.com> <CAGZ8ZG0sd+K2jCmA0KeH55dPG6Y+WHm7LDyhosFjY5R7ekp5GQ@mail.gmail.com> <4564B6F0-EAE8-457F-8698-ED929F4DDA01@pahtak.org>
Date: Tue, 01 Apr 2014 16:14:52 +0200
Message-ID: <CADMpkc+1Ds+PqLvhfaoXKC8FV_FfMtmOVB0wnZQU3ifYPDaqAg@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: Stephen Checkoway <s@pahtak.org>
Content-Type: multipart/alternative; boundary="20cf303f6cb2af424b04f5fbca80"
X-Provags-ID: V02:K0:4RhL8/sNG6Qow9wKeVseGUXvBBbni08C2/ExghgdEZB SckUrIKW5x4SCqxSawadeVDvpOl0+JKEK0pD+eePfuNKsF3b7W e8T3rig0RRSHyjRWJ4aO/MPVwbIhVWqaW7YYHhX7rTMU437CzD +q0uO7q/hpV4vPkkcw5Cr9f40wFKGjvmyDInqx5X7zu59u0rIE U11CE4Dd4KNd5i9oflGz3cwLuY6HGtF/20Ev7WeZD0axj+znee L6h55H8kkmhvfo8KbpL6LRqOV7tVn63zCdgl+7gCbPMY8QiQja d8Gni2/1+646rIKp62XiUFJJ+PZP2dF1DgttW4bpv0kkIH0EII /2Xgp8UjbfASGn+gBL/vI9q0/q+WYMbiBQE08u762F0/Grgde4 2STBbcTqiqdfpYfMJdL2uf6jkkDdPr6jf3kJHT9HzHo3GfSwjv N3n2z
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/ZkCUZNe_WQcGYiVFftDR5bOIeOs
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Extended random is NSA backdoor
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Apr 2014 14:21:23 -0000

Stephen Checkoway <s@pahtak.org>:

I can't speak to anyone's intentions, but note that these aren't the only
> I-Ds that add more randomness. As described in our paper, <
> http://tools.ietf.org/html/draft-hoffman-tls-additional-random-ext-01> is
> quite similar.
>
> The idea of adding more random bits seems to have been fairly popular in
> the 2006-2010 timeframe.
>
> There may be more proposals to do this, for example using <
> http://tools.ietf.org/html/rfc6358>, that I missed.
>

I think that's essentially one family of Internet-Drafts, finally resulting
in the RFC 6358 framework.  A missing link is
http://tools.ietf.org/html/draft-solinas-tls-additional-prf-input-01.

http://tools.ietf.org/html/draft-rescorla-tls-opaque-prf-input-00 -
Rescorla/Salter, 2006
http://tools.ietf.org/html/draft-rescorla-tls-extended-random-02 -
Rescorla/Salter, 2009
http://tools.ietf.org/html/draft-solinas-tls-additional-prf-input-01 -
Solinas/Hoffman, 2009
http://tools.ietf.org/html/draft-hoffman-tls-additional-random-ext-01 with
http://tools.ietf.org/html/rfc6358 - Hoffman, 2010/2012