[cryptography] Extended Random is extended to whom, exactly?
http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331 (Reuters) - Security industry pioneer RSA adopted not just one but two encryption tools developed by the U.S. National Security Agency, greatly increasing the spy agency's ability to eavesdrop on some Internet communications, according to a team of academic researchers. ... A group of professors from Johns Hopkins, the University of Wisconsin, the University of Illinois and elsewhere now say they have discovered that a second NSA tool exacerbated the RSA software's vulnerability. The professors found that the tool, known as the Extended Random extension for secure websites, could help crack a version of RSA's Dual Elliptic Curve software tens of thousands of times faster, according to an advance copy of their research shared with Reuters. ... In a Pentagon-funded paper in 2008, the Extended Random protocol was touted as a way to boost the randomness of the numbers generated by the Dual Elliptic Curve. ... But members of the academic team said they saw little improvement, while the extra data transmitted by Extended Random before a secure connection begins made predicting the following secure numbers dramatically easier. Adding it doesn't seem to provide any security benefits that we can figure out, said one of the authors of the study, Thomas Ristenpart of the University of Wisconsin. Johns Hopkins Professor Matthew Green said it was hard to take the official explanation for Extended Random at face value, especially since it appeared soon after Dual Elliptic Curve's acceptance as a U.S. standard. If using Dual Elliptic Curve is like playing with matches, then adding Extended Random is like dousing yourself with gasoline, Green said. The NSA played a significant role in the origins of Extended Random. The authors of the 2008 paper on the protocol were Margaret Salter, technical director of the NSA's defensive Information Assurance Directorate, and an outside expert named Eric Rescorla. ... END of snippets, mostly to try and figure out what this protocol is before casting judgement. Anyone got an idea? iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Extended Random is extended to whom, exactly?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 31/03/14 18:36, ianG wrote: END of snippets, mostly to try and figure out what this protocol is before casting judgement. Anyone got an idea? http://tools.ietf.org/html/draft-rescorla-tls-extended-random-02 The United States Department of Defense has requested a TLS mode which allows the use of longer public randomness values for use with high security level cipher suites like those specified in Suite B [I-D.rescorla-tls-suiteb]. The rationale for this as stated by DoD is that the public randomness for each side should be at least twice as long as the security level for cryptographic parity, which makes the 224 bits of randomness provided by the current TLS random values insufficient. Cheers, Michael -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBCAAGBQJTOaq0AAoJEBEET9GfxSfMv0UIAKyO/ofWH5Z70wunv679ijM4 N/mZT8oeVGrAgsCBtGvzuzQg8iWpo5PmNju3HbIv8MF4jsB8AfEE7q9rk0yNjo0c zewfKD2mDJMPFUkUDIZ92WYvvfQH1CgO8defiTpSKMMNbHAsndTqOCIV17ohpmnJ iX4inZSqart4GxFi0JyU7R8F87HmuX1fhgEVBCheYnX44R4+vrv/Fv27sEF6eghw dCRY6z/q6jbOhPdM3QH2bC9KXvGrs2DqSrmNuw8WMKUBiJNXxBWpo13FpGX0+DLk 962o7JGxtWbrsZt95BPrTPNp7rEhpaQyOm8l/n2p8QYhp9YKB/VdScVUISuBBA8= =/HP6 -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Extended Random is extended to whom, exactly?
On 31/03/2014 18:49 pm, Michael Rogers wrote: On 31/03/14 18:36, ianG wrote: END of snippets, mostly to try and figure out what this protocol is before casting judgement. Anyone got an idea? http://tools.ietf.org/html/draft-rescorla-tls-extended-random-02 The United States Department of Defense has requested a TLS mode which allows the use of longer public randomness values for use with high security level cipher suites like those specified in Suite B [I-D.rescorla-tls-suiteb]. The rationale for this as stated by DoD is that the public randomness for each side should be at least twice as long as the security level for cryptographic parity, which makes the 224 bits of randomness provided by the current TLS random values insufficient. 4.1. Threats to TLS When this extension is in use it increases the amount of data that an attacker can inject into the PRF. This potentially would allow an attacker who had partially compromised the PRF greater scope for influencing the output. Hash-based PRFs like the one in TLS are designed to be fairly indifferent to the input size (the input is already greater than the block size of most hash functions), however there is currently no proof that a larger input space would not make attacks easier. Another concern is that bad implementations might generate low entropy extented random values. TLS is designed to function correctly even when fed low-entropy random values because they are primarily used to generate distinct keying material for each connection. In some ways, this reminds me of the audit reports for compromised CAs. Once you know the compromise, you can often see the weakness in the report. In some cases the auditor has pointed it out in black and white, but it's a trapdoor function; you have to know the language, and have some independent confirmation of the weakness, to know that the auditor covered himself. iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
