IETF Logo Mail Archive

[TLS] Extended random is NSA backdoor

Watson Ladd <watsonbladd@gmail.com> Mon, 31 March 2014 14:24 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 045EC1A084D for <tls@ietfa.amsl.com>; Mon, 31 Mar 2014 07:24:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level:
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ciZXUR8P0D1l for <tls@ietfa.amsl.com>; Mon, 31 Mar 2014 07:24:53 -0700 (PDT)
Received: from mail-yk0-x233.google.com (mail-yk0-x233.google.com [IPv6:2607:f8b0:4002:c07::233]) by ietfa.amsl.com (Postfix) with ESMTP id 71C821A0849 for <tls@ietf.org>; Mon, 31 Mar 2014 07:24:53 -0700 (PDT)
Received: by mail-yk0-f179.google.com with SMTP id 9so3271026ykp.38 for <tls@ietf.org>; Mon, 31 Mar 2014 07:24:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=D1yPQcDR92d2RgxKy59kwZ6O5bK7rnE9Rm2aZhY3JTQ=; b=MvMDaFiGElcremtYYUm9OGyGlxBlRBJavEVJGuWpfz2GHZdX/bHvKpZ3DtTH+3TURy heOhJMtH/81+0eOy7zgi8yUKQXPKZOjaiYY10SqG0zN5YGbuDEoN3NIAsb4H+Wj3Cb6v bJnzNPdXpyWgmARJuVVZ4HVDyHwwWnW5cgq+M3Dio5MNiUGEpdYk/ztUkyt6gsOPCgov H/Pk9ZLzqUDnyjcLvrbgxkw4iMaAzfal1+U3VBfImdl7J/18g4cW9NEmF+J1k+Mv2xax H+79t0Ekzd9AQ0XeqaHXIYMNHWb5VqkG/GNhDOxDt4uSpu6IpiQoeL5hi1lPomnLYbMU qTfQ==
MIME-Version: 1.0
X-Received: by 10.236.137.8 with SMTP id x8mr36370314yhi.4.1396275890150; Mon, 31 Mar 2014 07:24:50 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Mon, 31 Mar 2014 07:24:50 -0700 (PDT)
Date: Mon, 31 Mar 2014 07:24:50 -0700
Message-ID: <CACsn0cmOjLDVgHjN00vb7XVTEU2FS9ZP5Rdax1W7sUqVBPQdvA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/AVxdgzDY3WS1Gt8xZEc7KUg2MGQ
Subject: [TLS] Extended random is NSA backdoor
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Mar 2014 14:24:55 -0000

Dear all,
Reuters reports
"The NSA played a significant role in the origins of Extended Random.
The authors of the 2008 paper on the protocol were Margaret Salter,
technical director of the NSA's defensive Information Assurance
Directorate, and an outside expert named Eric Rescorla.

Rescorla, who has advocated greater encryption of all Web traffic,
works for Mozilla, maker of the Firefox web browser. He and Mozilla
declined to comment. Salter did not respond to requests for comment."

I'd like some explanation, particularly given that
draft-rescorla-tls-extended-random-02 contains nothing resembling an
explanation for why the randomness needs to be extended if ECDHE is
being used, which it is on all DoD applications. Furthermore, this
confirms that the IAD inserts backdoors into products.

For those who aren't aware, extended random makes it easier to exploit
the Dual EC PRNG.

Sincerely,
Watson Ladd

v2.23.0 | Report a Bug | By Email