[cryptography] Extended Random is extended to whom, exactly?

ianG iang at iang.org
Mon Mar 31 18:33:45 EDT 2014


On 31/03/2014 18:49 pm, Michael Rogers wrote:
> On 31/03/14 18:36, ianG wrote:
>> END of snippets, mostly to try and figure out what this protocol
>> is before casting judgement.  Anyone got an idea?
> 
> http://tools.ietf.org/html/draft-rescorla-tls-extended-random-02
> 
> "The United States Department of Defense has requested a TLS mode
> which allows the use of longer public randomness values for use with
> high security level cipher suites like those specified in Suite B
> [I-D.rescorla-tls-suiteb].  The rationale for this as stated by DoD
> is that the public randomness for each side should be at least twice
> as long as the security level for cryptographic parity, which makes
> the 224 bits of randomness provided by the current TLS random values
> insufficient."



4.1.  Threats to TLS

   When this extension is in use it increases the amount of data that an
   attacker can inject into the PRF.  This potentially would allow an
   attacker who had partially compromised the PRF greater scope for
   influencing the output.  Hash-based PRFs like the one in TLS are
   designed to be fairly indifferent to the input size (the input is
   already greater than the block size of most hash functions), however
   there is currently no proof that a larger input space would not make
   attacks easier.

   Another concern is that bad implementations might generate low
   entropy extented random values.  TLS is designed to function
   correctly even when fed low-entropy random values because they are
   primarily used to generate distinct keying material for each
   connection.



In some ways, this reminds me of the audit reports for compromised CAs.
 Once you know the compromise, you can often see the weakness in the
report.  In some cases the auditor has pointed it out in black and
white, but it's a trapdoor function;  you have to know the language, and
have some independent confirmation of the weakness, to know that the
auditor covered himself.



iang


More information about the cryptography mailing list