[cryptography] Extended Random is extended to whom, exactly?
iang at iang.org
Mon Mar 31 18:33:45 EDT 2014
On 31/03/2014 18:49 pm, Michael Rogers wrote:
> On 31/03/14 18:36, ianG wrote:
>> END of snippets, mostly to try and figure out what this protocol
>> is before casting judgement. Anyone got an idea?
> "The United States Department of Defense has requested a TLS mode
> which allows the use of longer public randomness values for use with
> high security level cipher suites like those specified in Suite B
> [I-D.rescorla-tls-suiteb]. The rationale for this as stated by DoD
> is that the public randomness for each side should be at least twice
> as long as the security level for cryptographic parity, which makes
> the 224 bits of randomness provided by the current TLS random values
4.1. Threats to TLS
When this extension is in use it increases the amount of data that an
attacker can inject into the PRF. This potentially would allow an
attacker who had partially compromised the PRF greater scope for
influencing the output. Hash-based PRFs like the one in TLS are
designed to be fairly indifferent to the input size (the input is
already greater than the block size of most hash functions), however
there is currently no proof that a larger input space would not make
Another concern is that bad implementations might generate low
entropy extented random values. TLS is designed to function
correctly even when fed low-entropy random values because they are
primarily used to generate distinct keying material for each
In some ways, this reminds me of the audit reports for compromised CAs.
Once you know the compromise, you can often see the weakness in the
report. In some cases the auditor has pointed it out in black and
white, but it's a trapdoor function; you have to know the language, and
have some independent confirmation of the weakness, to know that the
auditor covered himself.
More information about the cryptography