Re: [TLS] New drafts: adding input to the TLS master secret
Martin Rex <mrex@sap.com> Tue, 09 February 2010 14:53 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DCBC73A7391 for <tls@core3.amsl.com>; Tue, 9 Feb 2010 06:53:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.216
X-Spam-Level:
X-Spam-Status: No, score=-10.216 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g0fIo0SjABtL for <tls@core3.amsl.com>; Tue, 9 Feb 2010 06:53:29 -0800 (PST)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 7B1843A71FA for <tls@ietf.org>; Tue, 9 Feb 2010 06:53:29 -0800 (PST)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id o19EsYaO023447 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 9 Feb 2010 15:54:34 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201002091454.o19EsXuL014610@fs4113.wdf.sap.corp>
To: ekr@networkresonance.com
Date: Tue, 09 Feb 2010 15:54:33 +0100
In-Reply-To: <20100209032703.476306E7D80@kilo.networkresonance.com> from "Eric Rescorla" at Feb 8, 10 07:27:01 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal07
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] New drafts: adding input to the TLS master secret
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Feb 2010 14:53:31 -0000
Eric Rescorla wrote: > > At Mon, 8 Feb 2010 23:59:54 +0100 (MET), Martin Rex wrote: > > > > Eric Rescorla wrote: > > > > > > With any reasonable PRNG this is not a security concern. > > > > You may be looking at the problem from the wrong angle. > > > > If there is not enough entropy to seed your CPRNG, then it is > > possible to brute force the entire entropy range and check for matches > > with the leaked randomness to know about the "unleaked" randomness > > that goes into the client key exchange (or premaster secret for RSA). > > Yes, I'm aware of this fact. In fact, see [YRS+09] for a worked example. The issue has come up several times. I remember this one (Netscape-Browser, SSL session encryption, 1995): http://marc.info/?l=bugtraq&m=87602167418753&w=2 The problem with debian was more severe for the servers, because the lack of randomness persisted in the rsa keypairs of the server certificates, i.e. lack-of-protection for the key-exchange rather than lack of entropy in the the client-generated premaster secret. > > It's not clear to me that avoiding leakage of any PRNG output helps > that much, since an attacker who knows the potential outputs of the > PRNG can simply do trial decryption to see if the projected outputs > produce correct decryptions. The reason it helps in the example above > is that you need to track the evolution of the PRNG through multiple > requests. However, this seems like a fairly unusual case. It > would not, for instance, likely apply to clients, which only > maintain a small number of PRNG contexts. I agree that it does not help that much, only making the exhaustive search of the entropy space more cpu-intensive (similar to the iteration count on string-to-key operations for PBE). My primary concern is with the reasoning behind the extension, what has been given does not seem to improve the situation at all. If anything, this extension could make the problem slightly worse. > > If you're a TLS server and you > just do static RSA, then it is safe to do TLS even without > a good source of entropy. On the other hand, if you're doing > DHE or you're a TLS client doing static RSA, then it's pretty > hard to have a secure system unless you can muster enough > entropy to make exhaustive search of the entropy space > infeasible. I would be careful with such a statement. The most difficult part about the OpenSSL debian problem wasn't about getting OpenSSL fixed, it was about replacing all the low-entropy keypairs / server certificates that had been generated. The majority of Browsers, and therefore the entropy in the RSA premaster secrets, did never have this particular Debian randomness problem. Sessions were affected through the lack-of-protection on the TLS key-exchange (RSA premaster secret encrypted with a low-entropy server key). So if you have a TLS server without a good source of entropy, you definitely should create the server's keypair someplace else and transfer both, server key and cert onto that device rather than having the device create its own keypair. -Martin
- Re: [TLS] New drafts: adding input to the TLS mas… Stefan Santesson
- [TLS] New drafts: adding input to the TLS master … Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Dean Anderson
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Simon Josefsson
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Simon Josefsson
- Re: [TLS] New drafts: adding input to the TLS mas… Brian Smith
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Brian Smith
- Re: [TLS] New drafts: adding input to the TLS mas… Martin Rex
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Marsh Ray
- Re: [TLS] New drafts: adding input to the TLS mas… Martin Rex
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Marsh Ray
- Re: [TLS] New drafts: adding input to the TLS mas… Martin Rex
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Marsh Ray
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Bill Frantz
- Re: [TLS] New drafts: adding input to the TLS mas… Marsh Ray
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Marsh Ray
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Eric Rescorla
- Re: [TLS] New drafts: adding input to the TLS mas… Dean Anderson
- Re: [TLS] New drafts: adding input to the TLS mas… Eric Rescorla
- Re: [TLS] New drafts: adding input to the TLS mas… Dean Anderson
- Re: [TLS] New drafts: adding input to the TLS mas… Jeffrey A. Williams
- Re: [TLS] New drafts: adding input to the TLS mas… Eric Rescorla
- Re: [TLS] New drafts: adding input to the TLS mas… Eric Rescorla
- Re: [TLS] New drafts: adding input to the TLS mas… Martin Rex
- Re: [TLS] New drafts: adding input to the TLS mas… Dean Anderson
- Re: [TLS] New drafts: adding input to the TLS mas… Dean Anderson
- Re: [TLS] New drafts: adding input to the TLS mas… Marsh Ray
- Re: [TLS] New drafts: adding input to the TLS mas… Eric Rescorla
- Re: [TLS] New drafts: adding input to the TLS mas… Eric Rescorla
- Re: [TLS] New drafts: adding input to the TLS mas… Eric Rescorla
- Re: [TLS] New drafts: adding input to the TLS mas… Martin Rex
- Re: [TLS] New drafts: adding input to the TLS mas… Eric Rescorla
- Re: [TLS] New drafts: adding input to the TLS mas… Marsh Ray
- Re: [TLS] New drafts: adding input to the TLS mas… Dean Anderson
- Re: [TLS] New drafts: adding input to the TLS mas… Marsh Ray
- Re: [TLS] New drafts: adding input to the TLS mas… Dean Anderson
- Re: [TLS] New drafts: adding input to the TLS mas… Martin Rex
- Re: [TLS] New drafts: adding input to the TLS mas… James Manger