Skip to main content

IETF conflict review for draft-irtf-cfrg-randomness-improvements
conflict-review-irtf-cfrg-randomness-improvements-00

Yes

Roman Danyliw

No Objection

Erik Kline
Murray Kucherawy
(Alissa Cooper)
(Alvaro Retana)
(Barry Leiba)
(Deborah Brungard)
(Martin Duke)
(Martin Vigoureux)
(Robert Wilton)

Note: This ballot was opened for revision 00 and is now closed.

Ballot question: "Is this the correct conflict review response?"

Roman Danyliw
Yes
Erik Kline
No Objection
Murray Kucherawy
No Objection
Benjamin Kaduk Former IESG member
Yes
Yes (2020-08-11) Sent
Section 1

   of the same length.  CSPRNGs are critical building blocks for TLS and
   related transport security protocols.  TLS in particular uses CSPRNGs
   to generate several values: session IDs, ephemeral key shares, and
   ClientHello and ServerHello random values.  [...]

Session IDs seem to be a (legacy) TLS 1.2 construct at this point,
right?  But neither RFC 5246 nor 5077 specifically says the ID has to be
or involve a CSPRNG output, which makes me wonder if I'm misinterpreting
this statement.

   3.  If the CSPRNG is broken or controlled by Adv, the output of the
       proposed construction remains indistinguishable from random
       provided the private key remains unknown to Adv.

When I first read this, I wondered about an attacker that controlled the
CSPRNG and also had access to an oracle that could perform signatures
using the private key (but not the private key itself).  It seems
(intuitively, thus not reliably) that keeping the tag1 value
confidential would stymie such an attacker, though if the tag1 is just
device-specific information and the attacker has access to the HSM then
keeping tag1 confidential may not be possible.  On the other hand, the
draft discusses a scenario with a single HSM shared across multiple
machines, so perhaps just having access to the HSM is not as strong of
an ability as intuition suggests.  On the gripping hand, if tag1 was
confidential and that was enough protection, then even an attacker that
knew the private key (but not tag1) would still not be able to break the
construction ... so I conclude that I'm still confused about this case.
Alissa Cooper Former IESG member
No Objection
No Objection () Not sent

                            
Alvaro Retana Former IESG member
No Objection
No Objection () Not sent

                            
Barry Leiba Former IESG member
No Objection
No Objection () Not sent

                            
Deborah Brungard Former IESG member
No Objection
No Objection () Not sent

                            
Martin Duke Former IESG member
No Objection
No Objection () Not sent

                            
Martin Vigoureux Former IESG member
No Objection
No Objection () Not sent

                            
Robert Wilton Former IESG member
No Objection
No Objection () Not sent