On 31/03/2014 18:49 pm, Michael Rogers wrote: > On 31/03/14 18:36, ianG wrote: >> END of snippets, mostly to try and figure out what this protocol >> is before casting judgement. Anyone got an idea? > > http://tools.ietf.org/html/draft-rescorla-tls-extended-random-02 > > "The United States Department of Defense has requested a TLS mode > which allows the use of longer public randomness values for use with > high security level cipher suites like those specified in Suite B > [I-D.rescorla-tls-suiteb]. The rationale for this as stated by DoD > is that the public randomness for each side should be at least twice > as long as the security level for cryptographic parity, which makes > the 224 bits of randomness provided by the current TLS random values > insufficient."
4.1. Threats to TLS When this extension is in use it increases the amount of data that an attacker can inject into the PRF. This potentially would allow an attacker who had partially compromised the PRF greater scope for influencing the output. Hash-based PRFs like the one in TLS are designed to be fairly indifferent to the input size (the input is already greater than the block size of most hash functions), however there is currently no proof that a larger input space would not make attacks easier. Another concern is that bad implementations might generate low entropy extented random values. TLS is designed to function correctly even when fed low-entropy random values because they are primarily used to generate distinct keying material for each connection. In some ways, this reminds me of the audit reports for compromised CAs. Once you know the compromise, you can often see the weakness in the report. In some cases the auditor has pointed it out in black and white, but it's a trapdoor function; you have to know the language, and have some independent confirmation of the weakness, to know that the auditor covered himself. iang _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
