IETF Logo Mail Archive

Re: [TLS] 32 byte randoms in TLS1.3 hello's

mrex@sap.com (Martin Rex) Wed, 26 July 2017 18:59 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29DE012EB9B for <tls@ietfa.amsl.com>; Wed, 26 Jul 2017 11:59:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.421
X-Spam-Level:
X-Spam-Status: No, score=-6.421 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nFUwkXte3bUP for <tls@ietfa.amsl.com>; Wed, 26 Jul 2017 11:59:05 -0700 (PDT)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E307C12EA7C for <tls@ietf.org>; Wed, 26 Jul 2017 11:58:59 -0700 (PDT)
Received: from mail07.wdf.sap.corp (mail04.sap.corp [194.39.131.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id 3xHkst14g1z1HTl; Wed, 26 Jul 2017 20:58:58 +0200 (CEST)
X-purgate-ID: 152705::1501095538-00000805-BF1A869E/0/0
X-purgate-size: 2236
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail07.wdf.sap.corp (Postfix) with ESMTP id 3xHkss0F9HzGnxJ; Wed, 26 Jul 2017 20:58:57 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 0311E1A6CB; Wed, 26 Jul 2017 20:58:57 +0200 (CEST)
In-Reply-To: <CAAF6GDfe7rXRwSnuiMgftBGUnToDbzEJqedkZwcvPiJodd=2aA@mail.gmail.com>
To: Colm MacCárthaigh <colm@allcosts.net>
Date: Wed, 26 Jul 2017 20:58:56 +0200
CC: mrex@sap.com, Peter Gutmann <pgut001@cs.auckland.ac.nz>, "tls@ietf.org" <tls@ietf.org>
Reply-To: mrex@sap.com
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="ISO-8859-1"
Message-Id: <20170726185857.0311E1A6CB@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/uGr7Xe5FjRGNZT-A-ShMIF1X-64>
Subject: Re: [TLS] 32 byte randoms in TLS1.3 hello's
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jul 2017 18:59:07 -0000

Colm MacCárthaigh wrote:
> Martin Rex <mrex@sap.com> wrote:
>> 
>> Since you also have no idea whether and how the internal hardware design
>> behind Intel RDRAND is backdoored, you should not be using any of its
>> output without an at least 10x cryptographic compression in any case.
> 
> Obviously your CPU can fully compromise you locally, so that's not very
> interesting to think about. But for remote attacks, like the one you
> describe here, where an adversary may use predictable PRNG output, it is
> probably better to mix RDRAND output with something else. There are a few
> layers of defense here, such as multi-source NRBGs, or personalization
> strings. Those significantly distance the output from the RDRAND. The kind
> of compression you mention here can be easily precomputed and tables
> generated by someone with a large amount of resources, since it's a pure
> function.

We're either talking about different things, or I fail to understand
what you're talking about.

The predictable failure of EC_Dual was based on the fact that the
internal state and the output had (almost) the _same_ size.

With RDRAND, you would use e.g. SHA-256 to compress 10*256 = 2560 Bits of
a black-box CPRNG output into a 256-bit _new_ output that you
actually use in communication protocols.

Should the creator of a backdoored black-box-CPRNG be able to recompute
the internal state from a few leaked _new_ (post-compression) outputs,
then you _will_ be able to notice a real problem (non-randomness)
problem with the outputs of black-box-CPRNG.


> 
> In BoringSSL, and s2n, we mix RDRAND in as part of the reseeding. But the
> initial seed came from urandom (which is not pure RDRAND). In s2n, we also
> use personalization strings to provide another degree of defense.

Any half-way portable crypto library will have code for collecting
entropy on pre-RDRAND Intel CPUs and non-Intel CPUs, probably use
an entropy pool that is >=512 bits and outputs of at most half of
the size of the entropy pool, and use compressed RDRAND outputs for
additional entropy gathering, and at most for nonces, but never
use RDRAND alone for generation of secret keying material.


-Martin

v2.23.0 | Report a Bug | By Email