Re: [TLS] New drafts: adding input to the TLS master secret
Dean Anderson <dean@av8.com> Mon, 08 February 2010 23:15 UTC
Return-Path: <dean@av8.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B709828C0EB for <tls@core3.amsl.com>; Mon, 8 Feb 2010 15:15:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.141
X-Spam-Level:
X-Spam-Status: No, score=-2.141 tagged_above=-999 required=5 tests=[AWL=0.458, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id elsZJ3E2t+9U for <tls@core3.amsl.com>; Mon, 8 Feb 2010 15:15:53 -0800 (PST)
Received: from cirrus.av8.net (cirrus.av8.net [130.105.36.66]) by core3.amsl.com (Postfix) with ESMTP id 34A7C3A724D for <tls@ietf.org>; Mon, 8 Feb 2010 15:15:53 -0800 (PST)
Received: from citation2.av8.net (citation2.av8.net [130.105.12.10]) (authenticated bits=0) by cirrus.av8.net (8.12.11/8.12.11) with ESMTP id o18NGrUF013603 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Mon, 8 Feb 2010 18:16:53 -0500
Date: Mon, 08 Feb 2010 18:16:53 -0500
From: Dean Anderson <dean@av8.com>
X-X-Sender: dean@citation2.av8.net
To: Eric Rescorla <ekr@networkresonance.com>
In-Reply-To: <20100208204426.01C756E7CFA@kilo.networkresonance.com>
Message-ID: <Pine.LNX.4.44.1002081632060.17664-100000@citation2.av8.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Cc: tls@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [TLS] New drafts: adding input to the TLS master secret
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2010 23:15:54 -0000
On Mon, 8 Feb 2010, Eric Rescorla wrote: > > > > I'll see if I can find a better reference. I think the > > cryptographic fact I'm looking for is that a pseudo-random sequence > > is compromised by having part of the sequence known. > > Well, this isn't true. In fact, it's a basic design requirement of > CSPRNGs that this not be so (up to the input entropy of the PRNG). If > you have any evidence that the standard PRNGs/PRFs fall significantly > short of this requirement, this would be a result worthy of > publication in a good conference. Actually, it appears to me that it is an unproven assumption of the next-bit test. ("it" being that there is no polynomial time algorithm to calculate the next bit) I believe the key phrase is "up to the input entropy of the PRNG". If you have enough of the sequence, you can get the whole sequence. The TLS random exposes an essentially unlimited amount of the pseudo-random sequence. I don't assert any revelation about PRNG properties. I think all I have discovered is that in TLS, one can get an essentially unlimited amount of the PRNG sequence by mere snooping (no decryption). The already-known properties of pseudo-random sequences are that one can compute the whole sequence given knowledge of an unlimited amount of the sequence because they are not random. The tests on for "cryptographic security" of PRBG are complicated, but roughly summarized as based on statistical expectations for the next bit in the sequence. The 'next-bit' test posits that there are no polynomial time algorithms for calculating the next bit. But this is assumed, not proven property. It was also assumed to be true of Linear Feedback Shift Registers, but was found false. There is nothing that proves the PRNG isn't predictable if you can see a whole lot of its sequence, or that calculating the next bit is computationally infeasible given a lot of sequence. >From "Handbook of Applied Cryptography" Section 5.1.1 on Pseudo Random Bit Generators: "The output of a PRBG is not random; in fact the number of possible output sequences is at most a small fraction 2^k/2^l, of all possible binary sequences of length l." So one can see, as l gets larger with k constant, the fraction of all output sequences gets smaller. The pre_master_secret is 384 bits and the Random value is presently 256 bits. So the random exposes 40% of the sequence. Paul's proposal increases the exposure. That seems like a bad idea. Exposing any part of the sequence seems like a bad idea. Full enumeration of the PRBG is probably infeasible. But it is not clear that full enumeration is necessary to predict the sequence. It wasn't necessary to have very much of the sequence for LFSR. It may indeed prove to be computationally infeasible, but it not proven so far. Some generators may be better than others. Or not. Not so long ago, linear feedback shift registers were thought to be computationally infeasible to break and were the stream cipher for GSM, but then that was discovered to be wrong, and that calculation was really pretty easy. When all we need are unique master_secrets across sessions, this seems like an unnecessary risk. Why not alter TLS to require a different pseudo-random sequence generator for Random values? --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 256 5494
- Re: [TLS] New drafts: adding input to the TLS mas… Stefan Santesson
- [TLS] New drafts: adding input to the TLS master … Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Dean Anderson
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Simon Josefsson
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Simon Josefsson
- Re: [TLS] New drafts: adding input to the TLS mas… Brian Smith
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Brian Smith
- Re: [TLS] New drafts: adding input to the TLS mas… Martin Rex
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Marsh Ray
- Re: [TLS] New drafts: adding input to the TLS mas… Martin Rex
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Marsh Ray
- Re: [TLS] New drafts: adding input to the TLS mas… Martin Rex
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Marsh Ray
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Bill Frantz
- Re: [TLS] New drafts: adding input to the TLS mas… Marsh Ray
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Marsh Ray
- Re: [TLS] New drafts: adding input to the TLS mas… Paul Hoffman
- Re: [TLS] New drafts: adding input to the TLS mas… Eric Rescorla
- Re: [TLS] New drafts: adding input to the TLS mas… Dean Anderson
- Re: [TLS] New drafts: adding input to the TLS mas… Eric Rescorla
- Re: [TLS] New drafts: adding input to the TLS mas… Dean Anderson
- Re: [TLS] New drafts: adding input to the TLS mas… Jeffrey A. Williams
- Re: [TLS] New drafts: adding input to the TLS mas… Eric Rescorla
- Re: [TLS] New drafts: adding input to the TLS mas… Eric Rescorla
- Re: [TLS] New drafts: adding input to the TLS mas… Martin Rex
- Re: [TLS] New drafts: adding input to the TLS mas… Dean Anderson
- Re: [TLS] New drafts: adding input to the TLS mas… Dean Anderson
- Re: [TLS] New drafts: adding input to the TLS mas… Marsh Ray
- Re: [TLS] New drafts: adding input to the TLS mas… Eric Rescorla
- Re: [TLS] New drafts: adding input to the TLS mas… Eric Rescorla
- Re: [TLS] New drafts: adding input to the TLS mas… Eric Rescorla
- Re: [TLS] New drafts: adding input to the TLS mas… Martin Rex
- Re: [TLS] New drafts: adding input to the TLS mas… Eric Rescorla
- Re: [TLS] New drafts: adding input to the TLS mas… Marsh Ray
- Re: [TLS] New drafts: adding input to the TLS mas… Dean Anderson
- Re: [TLS] New drafts: adding input to the TLS mas… Marsh Ray
- Re: [TLS] New drafts: adding input to the TLS mas… Dean Anderson
- Re: [TLS] New drafts: adding input to the TLS mas… Martin Rex
- Re: [TLS] New drafts: adding input to the TLS mas… James Manger