Re: [TLS] Last Call: draft-hoffman-tls-additional-random-ext (Additional Random

Paul Hoffman <> Thu, 22 April 2010 14:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 26D763A6C14; Thu, 22 Apr 2010 07:34:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.541
X-Spam-Status: No, score=-1.541 tagged_above=-999 required=5 tests=[AWL=-2.095, BAYES_50=0.001, HELO_MISMATCH_COM=0.553]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id E3+g8fqGpJY7; Thu, 22 Apr 2010 07:34:04 -0700 (PDT)
Received: from (Hoffman.Proper.COM []) by (Postfix) with ESMTP id AC9BA3A6B93; Thu, 22 Apr 2010 07:30:01 -0700 (PDT)
Received: from [] ( []) (authenticated bits=0) by (8.14.4/8.14.3) with ESMTP id o3METmqk032696 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 22 Apr 2010 07:29:51 -0700 (MST) (envelope-from
Mime-Version: 1.0
Message-Id: <p06240803c7f60d8cde2c@[]>
In-Reply-To: <>
References: <> <p06240887c7f52b14f905@[]> <>
Date: Thu, 22 Apr 2010 07:29:46 -0700
To: Simon Josefsson <>
From: Paul Hoffman <>
Content-Type: text/plain; charset="us-ascii"
Subject: Re: [TLS] Last Call: draft-hoffman-tls-additional-random-ext (Additional Random
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 22 Apr 2010 14:34:05 -0000

At 12:51 AM +0200 4/22/10, Simon Josefsson wrote:
>In which environments is the extension useful?
>The only motivation in the document that I can find is this:
>  In some application environments, it is desirable to have the client
>  and/or the server be able to input more random material in the master
>  key calculation than is allowed by the fixed-length Random value.
>I believe more justification than that is required for Proposed
>In particular, what I'd like to see is references to some application
>environments where the extension is desirable, and the rationale why it
>is desirable in that environment.
>Without a rationale for when the extension is useful, it is impossible
>for implementers to know when use of this extension is warranted or not.

The environment I described in the earlier thread is TLS with
Diffie-Hellman. I thought that saying that was sufficient, but I guess
it wasn't.

In Diffie-Hellman key establishment with static keys, even if the PRNG
of one side is bad, the resulting pre-master secret is still sound.
Neither side knows whether or not the PRNG of the other side is bad, so
each side wants to supply sufficient randomness for the master secret
even if the other side's PRNG is bad. If a side with a bad PRNG adds its
own input, it doesn't hurt the randomness of the result, but a side with
a good PRNG can bring up the amount of randomness.

I did not want to list this as the justification because there may be
other reasons to use the extension, and I don't want readers to think
that this is the only one. For example, future types of TLS key
establishment might have similar properties as static-static

Does that help?

--Paul Hoffman, Director
--VPN Consortium