Re: [TLS] [Cfrg] 3DES diediedie

Peter Gutmann <> Wed, 07 September 2016 10:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B9B7212B2F4 for <>; Wed, 7 Sep 2016 03:38:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.708
X-Spam-Status: No, score=-5.708 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.508] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vTWgBlBGlHS4 for <>; Wed, 7 Sep 2016 03:38:39 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0CB7E12B2D8 for <>; Wed, 7 Sep 2016 03:38:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1473244719; x=1504780719; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=GteRFFPx/X55ygmn6RO2rmGIfUgYD5qp9yogPPoSUSU=; b=hGoAv3ZscZ3WkTO6qIP76Z7c+xzM//xRPVcB6m5hVF+5IEdE17UsfpXo yJZYB341GBJhUcKcnPABkws2aZud96r5sw1Eat1gCUNrubSqO/AeU4Gck PLSzwMH13RhvMNXdn3ho2j+CHp4hHNcT4LH4TlLCeQU4AkRv92Qm/4R4e bCRL5QFZW0yhkN9SQpq+AxNK/eFHCnuG4AHif1A6IvZzdPbPT6RJkA6P6 zkWuSFwO5wuG+eNPyuw7e3UAWUfAx0+BkDjl97sjW7Uxn6TgwC0FT9wlv GZpSwbgJo+LLOo4z9IbmkEg76ty7zAou0jlNLAhHxdE98C09rnASX7ojj g==;
X-IronPort-AV: E=Sophos;i="5.30,296,1470657600"; d="scan'208";a="105023106"
X-Ironport-Source: - Outgoing - Outgoing
Received: from (HELO ([]) by with ESMTP/TLS/AES256-SHA; 07 Sep 2016 22:38:36 +1200
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Wed, 7 Sep 2016 22:38:35 +1200
Received: from ([fe80::8081:99e3:dee2:203]) by ([fe80::8081:99e3:dee2:203%14]) with mapi id 15.00.1178.000; Wed, 7 Sep 2016 22:38:35 +1200
From: Peter Gutmann <>
To: Ilari Liusvaara <>, "" <>, "" <>
Thread-Topic: [TLS] [Cfrg] 3DES diediedie
Thread-Index: AQHSCNnyFpiAHFrc0kCPPotcyf1VF6Bt1UFt
Date: Wed, 7 Sep 2016 10:38:35 +0000
Message-ID: <>
References: <> <> <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [TLS] [Cfrg] 3DES diediedie
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 07 Sep 2016 10:38:44 -0000

Ilari Liusvaara <> writes:

>The TLS-style asymmetric designs don't come even close to cutting it if
>client lacks good entropy source.

Actually they're fine, see the comment about using entropy from both sides.
You can run one side of a TLS communication with zero entropy (just a fixed
secret) if you mix the client and server hello into your PRNG alongside the
fixed secret data.

>Heck, I have seen board advertised for "IoT" applications where the way I
>loaded new software was to transfer the C++11 source via either USB stick or
>via TCP/IP over ethernet and then use GCC on the board itself to make a

That's how you do development work for the CI20.  It's actually rather
convenient, you just plug it in, SSH over, and you're ready to go.

Maybe that's one way to identify whether your "IoT device" falls into the
desktop-PC equivalent class, if it can self-host its own build tools it's a
PC.  If you upload a single solid blob that's the BSP/OS and application all
in one over a serial port and debug it using whatever cavemen used to debug
fire then it's embedded/IoT/SCADA/whatever.