Re: [TLS] Extended random is NSA backdoor
Nico Williams <nico@cryptonector.com> Tue, 01 April 2014 02:27 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5A4F1A6FC0 for <tls@ietfa.amsl.com>; Mon, 31 Mar 2014 19:27:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.303
X-Spam-Level:
X-Spam-Status: No, score=0.303 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, RCVD_IN_BL_SPAMCOP_NET=1.347] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ezEXqcJgH5CD for <tls@ietfa.amsl.com>; Mon, 31 Mar 2014 19:27:01 -0700 (PDT)
Received: from homiemail-a27.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 83D441A6F9C for <tls@ietf.org>; Mon, 31 Mar 2014 19:27:01 -0700 (PDT)
Received: from homiemail-a27.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a27.g.dreamhost.com (Postfix) with ESMTP id 6118259805F for <tls@ietf.org>; Mon, 31 Mar 2014 19:26:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=JkPNQp4cPbDPa3qITC73 WfmIvZk=; b=gYYXIrO5hqkXvaR/KEOBUXsAwlzuXfBKzJPUGTfJG4HgjS9XJtF9 tw6NwDcXMD3kdvnuXoSxI0XgxRNiSw+UkJ0R/B7tReBW1F2Q50ce9wZFJuPfHIQ3 uvk5DfyV3OWu18drpC5P2akSA2W4OIgqSUcxhUB9tWnTjA6lCv44ywM=
Received: from mail-we0-f178.google.com (mail-we0-f178.google.com [74.125.82.178]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a27.g.dreamhost.com (Postfix) with ESMTPSA id 11E2A598058 for <tls@ietf.org>; Mon, 31 Mar 2014 19:26:57 -0700 (PDT)
Received: by mail-we0-f178.google.com with SMTP id u56so5464791wes.37 for <tls@ietf.org>; Mon, 31 Mar 2014 19:26:57 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.180.98.35 with SMTP id ef3mr16364271wib.39.1396319217056; Mon, 31 Mar 2014 19:26:57 -0700 (PDT)
Received: by 10.217.129.197 with HTTP; Mon, 31 Mar 2014 19:26:56 -0700 (PDT)
In-Reply-To: <CACsn0cke=seQfSkzUKf4oiKzUpa3UgfA2am=-5Q-a03S35=0yg@mail.gmail.com>
References: <CACsn0cmOjLDVgHjN00vb7XVTEU2FS9ZP5Rdax1W7sUqVBPQdvA@mail.gmail.com> <53397B6F.9050806@mykolab.com> <CAL9PXLzuwKCZ2MhLUMviTW-aV19Zm-m=4mVEcmKkFUtHm6sPKQ@mail.gmail.com> <53397E0C.9000504@mykolab.com> <CA+cU71mbBs_ER31abZ1nP1FtVAwREMvRwpPmcLaSYZiXhqUPGg@mail.gmail.com> <53397F7C.2060603@mykolab.com> <53398AB3.9090102@gmail.com> <CAGZ8ZG0sd+K2jCmA0KeH55dPG6Y+WHm7LDyhosFjY5R7ekp5GQ@mail.gmail.com> <4564B6F0-EAE8-457F-8698-ED929F4DDA01@pahtak.org> <26D8EEDC-DE7D-4681-BE06-216DBAF55BEE@vigilsec.com> <CAK3OfOg4Oy6PP-tq1w9KbADg16r-2A9rX8=zOMERHzrrKaU3jA@mail.gmail.com> <CACsn0cke=seQfSkzUKf4oiKzUpa3UgfA2am=-5Q-a03S35=0yg@mail.gmail.com>
Date: Mon, 31 Mar 2014 21:26:56 -0500
Message-ID: <CAK3OfOhyZo_hPVNSpL6BP6t7b5wyT=rFuvgm3hkOkDQpSwZV6w@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/xjmf-o6zOqHj_Zu08n-WqhT6M_k
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] Extended random is NSA backdoor
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Apr 2014 02:27:02 -0000
On Mon, Mar 31, 2014 at 9:02 PM, Watson Ladd <watsonbladd@gmail.com> wrote: > On Mon, Mar 31, 2014 at 5:46 PM, Nico Williams <nico@cryptonector.com> wrote: >> On Mon, Mar 31, 2014 at 2:12 PM, Russ Housley <housley@vigilsec.com> wrote: >>> [...] >> >> Under no circumstance does sending more nonce bits help palliate a >> weak RNG. On the contrary, doing so can only make the sender more >> susceptible to attack. In 2006 we would all have understood this. > > That's why these remained I-Ds. I didn't do the necessary list archive-ology. Good to know that my supposition was right. >> Now, the I-D in question are very explicit as to motivation: >> >> The United States Department of Defense has requested a TLS mode >> which allows the use of longer public randomness values for use with >> high security level cipher suites like those specified in Suite B >> [I-D.rescorla-tls-suiteb]. The rationale for this as stated by DoD >> is that the public randomness for each side should be at least twice >> as long as the security level for cryptographic parity, which makes >> the 224 bits of randomness provided by the current TLS random values >> insufficient. >> >> That's not likely to have raised eyebrows much in 2006 -- that is >> true. Even with knowledge of backdoored RNG designs it might not now >> (because that's a local problem now as ever). > > Huh? Even if the RNG is perfectly fine, I don't see what adding more > random information in to the master secret derivation does. That > motivation was questioned in 2006 because it doesn't make any sense. > The reason server random and client random exist is to avoid replay > attacks, and 32 bytes is wildly overkill for this. They don't add > anything to the difficulty for an attacker. It's a completely > meaningless rationale. For me the main problem with sending more nonce bytes is that it increases the bandwidth of a covert channel -- a more general case of making weak RNGs more susceptible to attack. But it seems reasonable _at first glance_ (which is what I meant above) to say that to get X bits of security you need a cipher with X bits of key, PK algorithms with X bits equivalent security, and X bits of nonce from each party. > The RFC permitting adding extra data into master secret derivation was > actually motivated: one would ideally hash identities in, as was > discovered very recently. But it doesn't take the extra step of > actually fixing the issues, which we still have to do. Or channel binding. But one need not send the channel binding data when doing channel binding! Nico --
- [TLS] Extended random is NSA backdoor Watson Ladd
- Re: [TLS] Extended random is NSA backdoor Paul Ferguson
- Re: [TLS] Extended random is NSA backdoor Adam Langley
- Re: [TLS] Extended random is NSA backdoor Stephen Checkoway
- Re: [TLS] Extended random is NSA backdoor Paul Ferguson
- Re: [TLS] Extended random is NSA backdoor Tom Ritter
- Re: [TLS] Extended random is NSA backdoor Paul Ferguson
- Re: [TLS] Extended random is NSA backdoor Rene Struik
- Re: [TLS] Extended random is NSA backdoor Jacob Appelbaum
- Re: [TLS] Extended random is NSA backdoor Trevor Perrin
- Re: [TLS] Extended random is NSA backdoor Stephen Checkoway
- Re: [TLS] Extended random is NSA backdoor Dan Harkins
- Re: [TLS] Extended random is NSA backdoor Dan Harkins
- Re: [TLS] Extended random is NSA backdoor Stephen Farrell
- Re: [TLS] Extended random is NSA backdoor Russ Housley
- Re: [TLS] Extended random is NSA backdoor Marsh Ray
- Re: [TLS] Extended random is NSA backdoor Nico Williams
- Re: [TLS] Extended random is NSA backdoor =JeffH
- Re: [TLS] Extended random is NSA backdoor Nico Williams
- Re: [TLS] Extended random is NSA backdoor Michael D'Errico
- Re: [TLS] Extended random is NSA backdoor Watson Ladd
- Re: [TLS] Extended random is NSA backdoor Nico Williams
- Re: [TLS] Extended random is NSA backdoor Nico Williams
- Re: [TLS] Extended random is NSA backdoor Nico Williams
- Re: [TLS] Extended random is NSA backdoor Bodo Moeller