On Thu, Mar 14, 2019 at 04:09:10PM -0700, Jaime Hablutzel via dev-security-policy wrote: > > In accordance with our conversations to date, prior to 3/7 6:30pm AZ we > > utilized raw 64 bit output from CSPRING, with uniqueness and non zero > > checks. This new understanding of the rules calls for us to modify our > > original disclosure to 0 affected certificates. > > "uniqueness and non zero checks" have crippled the effective 64 bit output > from the CSPRNG, so, as I can see it, all of your previously generated serial > numbers (according to the algorithm you disclosed [1]) could be considered > non-compliant to current BRs as explained below: > > First, according to your algorithm, if the MSB in the fully random 8 octets > is 1 you add a leading 00 byte, so until that time you have 64 full bits of > entropy, i.e. 18446744073709551616 possible different values. > > Then, you have to filter out some values. To begin with, you filter out the > value 0, leaving you with 18446744073709551615 possible values. > > Now, you filter the previosly generated serial numbers (known to potential > attackers thanks to current CT deployment), let's say 1000000 at a given > point in time, so now you are left with 18446744073708551615 possible values. > > And if we do the math: > > 18446744073708551615 / 18446744073709551616 * 64 = > 63.999999999996530549578599433858 > > Which is less than the required 64 bits. > > So any filtering operation (e.g. previously generated serial numbers) > actually reduce effective entropy and overall security as illustrated in the > fictional and forced scenario in [2].
The most obvious way to implement this is that in case the check fails, you just generate an other serial. You can argue that that new serial will contain 64 bit of entropy, but if you want to be really correct, I think you're right and it doesn't. Just as example, if you generate 64 bit random numbers, and throw away all those that have the top bit set, which would be around half of them, it's easy to see you've reduced it to 63 bit. So you can argue that it's not possible to comply with the BRs by just generating a 64 bit random number, you would need to generate at least 65. But I would argue that such an implementation that only generates 64 bits and does the checks is in the spirit of what was intended. Kurt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
