Randomness is a crucial ingredient for TLS and related security
protocols. Weak or predictable "cryptographically-strong"
pseudorandom number generators (CSPRNGs) can be abused or exploited
for malicious purposes. The Dual EC random number backdoor and
Debian bugs are relevant examples of this problem. An initial
entropy source that seeds a CSPRNG might be weak or broken as well,
which can also lead to critical and systemic security problems. This
document describes a way for security protocol participants to
augment their CSPRNGs using long-term private keys. This improves
randomness from broken or otherwise subverted CSPRNGs.
Research Group Summary:
The document was actively reviewed in CFRG and was presented
at several face-to-face meetings. Comments were constructive
but not particularly controversial. The document represents
consensus of CFRG.
There was a proposal to extend the document to cover constraint
IOT cases, but CFRG decision was to do this work in a separate
The document conforms to requirements from RFC 5743.
Interest in this work has been expressed by multiple parties
at various points in time. In particular Apple, Cloudflare,
and recently, the LAKE WG.
There are at least two implementations in BoringSSL:
one of which is public, the other is not.
Alexey Melnikov is the document shepherd.
Colin Perkins is the responsible IRTF Chair.