From nobody Fri Mar 6 09:44:19 2020 Return-Path: X-Original-To: crypto-panel@ietfa.amsl.com Delivered-To: crypto-panel@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 467B23A0BF6 for ; Fri, 6 Mar 2020 09:44:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.2 X-Spam-Level: X-Spam-Status: No, score=-0.2 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wgXb_5jaOJBM for ; Fri, 6 Mar 2020 09:44:16 -0800 (PST) Received: from statler.isode.com (Statler.isode.com [62.232.206.189]) by ietfa.amsl.com (Postfix) with ESMTP id 1A4083A0BF0 for ; Fri, 6 Mar 2020 09:44:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1583516655; d=isode.com; s=june2016; i=@isode.com; bh=wuOYBJk2a2los4cg+JEAku966xP2qKuQNbdVEKp7GGc=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=qjRN/mwV+1mSllmYASmWpg91wUKmmK7+mHt5oqLHE/Fo/aN3Sd1Tcbbkvua29gg42TAWdi X7eothRpa5F5cBYAVJoNR6Yg/kaYvz8sRQUd0QHgGNWd3AspcNQmpNask5oOulddrLSWUf sz07xX6fJs8qoKI0X0kK+lGg+VqlnC8=; Received: from [172.20.1.215] (dhcp-215.isode.net [172.20.1.215]) by statler.isode.com (submission channel) via TCP with ESMTPSA id ; Fri, 6 Mar 2020 17:44:15 +0000 To: "crypto-panel@irtf.org" From: Alexey Melnikov Message-ID: <8290ee48-83f6-863c-c163-868251ea220b@isode.com> Date: Fri, 6 Mar 2020 17:44:03 +0000 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.3.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Archived-At: Subject: [Crypto-panel] Request for review: draft-irtf-cfrg-randomness-improvements X-BeenThere: crypto-panel@irtf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Mar 2020 17:44:18 -0000 Dear Crypto Panel members, I would like to request at least one review for this document: Thank you, Alexey From nobody Fri Mar 6 10:55:38 2020 Return-Path: X-Original-To: crypto-panel@ietfa.amsl.com Delivered-To: crypto-panel@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFF123A07AA for ; Fri, 6 Mar 2020 10:55:35 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.897 X-Spam-Level: X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8DLTpLgpZcyo for ; Fri, 6 Mar 2020 10:55:33 -0800 (PST) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B7223A07A9 for ; Fri, 6 Mar 2020 10:55:33 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 4CE4E300AA0 for ; Fri, 6 Mar 2020 13:55:31 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id IqwcGRmO_7gj for ; Fri, 6 Mar 2020 13:55:29 -0500 (EST) Received: from a860b60074bd.fios-router.home (pool-72-66-113-56.washdc.fios.verizon.net [72.66.113.56]) by mail.smeinc.net (Postfix) with ESMTPSA id 6CA083005D5; Fri, 6 Mar 2020 13:55:29 -0500 (EST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) From: Russ Housley In-Reply-To: <8290ee48-83f6-863c-c163-868251ea220b@isode.com> Date: Fri, 6 Mar 2020 13:55:30 -0500 Cc: "crypto-panel@irtf.org" Content-Transfer-Encoding: quoted-printable Message-Id: References: <8290ee48-83f6-863c-c163-868251ea220b@isode.com> To: Alexey Melnikov X-Mailer: Apple Mail (2.3445.104.11) Archived-At: Subject: Re: [Crypto-panel] Request for review: draft-irtf-cfrg-randomness-improvements X-BeenThere: crypto-panel@irtf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Mar 2020 18:55:36 -0000 I can do a review, but it will probably be 2 week. I yield if someone = else can do it sooner. Russ > On Mar 6, 2020, at 12:44 PM, Alexey Melnikov = wrote: >=20 > Dear Crypto Panel members, >=20 > I would like to request at least one review for this document: = >=20 > Thank you, >=20 > Alexey >=20 > _______________________________________________ > Crypto-panel mailing list > Crypto-panel@irtf.org > https://www.irtf.org/mailman/listinfo/crypto-panel From nobody Fri Mar 6 12:07:46 2020 Return-Path: X-Original-To: crypto-panel@ietfa.amsl.com Delivered-To: crypto-panel@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B5BA3A0940 for ; Fri, 6 Mar 2020 12:07:45 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3evzuH7L43Dh for ; Fri, 6 Mar 2020 12:07:44 -0800 (PST) Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C05C63A093D for ; Fri, 6 Mar 2020 12:07:43 -0800 (PST) Received: by mail-wm1-x334.google.com with SMTP id u9so3665539wml.3 for ; Fri, 06 Mar 2020 12:07:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=AunkW49N7Cuik15jXnUsjg4ass+QcwLlEA9W/feAB4g=; b=FLBwYxAi3sGpig7+74xQ3QfqtimS/W0ShNRxRkVspd/JXrS7Jkq5/qNI4jsUGDulvl BQkgvRn28c1O1UzX8iYzyg1EeBv0ITgE3caQIa2nlej4/E/GZeIg1SfZBiuZb2kuRl75 BZmgt3CdoBBI5BtH0r+xgitpxBLoVPE5mavwf8oZZZ3a8C96ZdT+QFhgdt2M5GnNH+qG 7HbtYqCb8nisGk6fOLdCVY2uq3xGbBgk0HRh4pcl+Rbdm8q3fBeO75j+OjA4v8u2pEIR c02TGSU3CQSyIxJiKMFtTUovIFrKCjnnndE9iMlYQk8v9z9QrmNEzZjDLfgGi6xBbFeN /3uA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=AunkW49N7Cuik15jXnUsjg4ass+QcwLlEA9W/feAB4g=; b=XvCw0RiiUsVVD+0vpDC5rEPHbGH56DxBsbygaon1Hp82k+Qx7VEHCRUGpszHAGPucR PZYnkGvA2uq8JAnJ6+vBXhuYH/F7IHH6O53o3eGdAspfOckZCHNYI7t1/b2j0Im0vVBk OuAsZDb6L2SJ10CMeg3ywgxNMg1orDfNC504D9RqpqNqQ8AmHJnMj3hq2YlbVlCZnApb eLuP6rSr6mqyYtdDiP0C7pp33bgclQZCuXN8dpKDg3oT4KXhdTND8kklOPY2K75dH9A2 45qf4WuzfIrY24eevxYK9NSuAmmicj33lN0XTrzUGU8Ht9vaOPWgxfkI0QeKv23jBDad ddVg== X-Gm-Message-State: ANhLgQ2V5w9Ny7PGVjRXfbP7bqkqvm4giPUgs8PNXYG4luOGLLUPu2Wk juOQYgZdHnLC3P70BD4pzEY= X-Google-Smtp-Source: ADFU+vuVEXJxBE6xz8RzMy7F4N8x/kwQTDps5fUeeuqaPjWqNU98Je0mJGPK1cgSzbu7cbmuaweYKA== X-Received: by 2002:a05:600c:2951:: with SMTP id n17mr5330391wmd.97.1583525262124; Fri, 06 Mar 2020 12:07:42 -0800 (PST) Received: from [192.168.0.62] (89-156-101-160.rev.numericable.fr. [89.156.101.160]) by smtp.gmail.com with ESMTPSA id s22sm14185149wmc.16.2020.03.06.12.07.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 06 Mar 2020 12:07:41 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\)) From: Karthikeyan Bhargavan In-Reply-To: <8290ee48-83f6-863c-c163-868251ea220b@isode.com> Date: Fri, 6 Mar 2020 21:07:41 +0100 Cc: "crypto-panel@irtf.org" Content-Transfer-Encoding: quoted-printable Message-Id: <8F8F5EC1-1F03-4FA0-82BB-780CF91B59B4@gmail.com> References: <8290ee48-83f6-863c-c163-868251ea220b@isode.com> To: Alexey Melnikov X-Mailer: Apple Mail (2.3608.60.0.2.5) Archived-At: Subject: Re: [Crypto-panel] Request for review: draft-irtf-cfrg-randomness-improvements X-BeenThere: crypto-panel@irtf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Mar 2020 20:07:45 -0000 I can do a review as well. > On 6 Mar 2020, at 18:44, Alexey Melnikov = wrote: >=20 > Dear Crypto Panel members, >=20 > I would like to request at least one review for this document: = >=20 > Thank you, >=20 > Alexey >=20 > _______________________________________________ > Crypto-panel mailing list > Crypto-panel@irtf.org > https://www.irtf.org/mailman/listinfo/crypto-panel From nobody Fri Mar 6 12:17:51 2020 Return-Path: X-Original-To: crypto-panel@ietfa.amsl.com Delivered-To: crypto-panel@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F5C03A09F7 for ; Fri, 6 Mar 2020 12:17:45 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.6 X-Spam-Level: X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=mkHjmVjG; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=wLUv2O4c Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5qhGFJMPfsCB for ; Fri, 6 Mar 2020 12:17:41 -0800 (PST) Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E81783A09C7 for ; Fri, 6 Mar 2020 12:17:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1064; q=dns/txt; s=iport; t=1583525861; x=1584735461; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=ms1/7up3MYD2kXjGHSqZSbKKw7vLvpK0fCthSmwf6+4=; b=mkHjmVjG5zOYTh4RRw6wmpqh4qhdXo3a9R7Hu1HFsxYMJJok2OwOcT83 pyfSCY4X5tx7Ej6p8IXXaUXoQJtmyTfEb2UKU6ixydCnbZ+HH5K8MTcpK ulYWt/M3ABG96XdwS0G/Ye6231WfmlA5XwzhkkTloDw13NCYPh6iHNsHf 8=; IronPort-PHdr: =?us-ascii?q?9a23=3AfNPpaBPY+QxUPmIyi2Ml6mtXPHoupqn0MwgJ65?= =?us-ascii?q?Eul7NJdOG58o//OFDEu6w/l0fHCIPc7f8My/HbtaztQyQh2d6AqzhDFf4ETB?= =?us-ascii?q?oZkYMTlg0kDtSCDBjgIvr3bzY3BuxJVURu+DewNk0GUMs=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CwAABRr2Je/4ENJK1kGgEBAQEBAQE?= =?us-ascii?q?BAQMBAQEBEQEBAQICAQEBAYF7gVRQBWxYIAQLKgqHUQOKaoJfmBWBQoEQA1Q?= =?us-ascii?q?JAQEBDAEBGAsKAgQBAYN+RQKCDiQ4EwIDAQELAQEFAQEBAgEFBG2FVgyFYwE?= =?us-ascii?q?BAQEDAQEQKAYBASwLAQsEAgEIDgMEAQEBHhAnCx0IAgQBDQUIGoMFgkoDLgE?= =?us-ascii?q?OngECgTmIYoIngn8BAQWBQ0GDAxiCDAMGgTiKZYFDGoFBP4FYgk0+axkBgV8?= =?us-ascii?q?BAQIBAYEnPINBgiywJQqCPIdSjzCbNUSOMoh8klUCBAIEBQIOAQEFgWkigVh?= =?us-ascii?q?wFTuCbFAYDY4dg3OFFIVBdIEpjj4BgQ8BAQ?= X-IronPort-AV: E=Sophos;i="5.70,523,1574121600"; d="scan'208";a="443546463" Received: from alln-core-9.cisco.com ([173.36.13.129]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 06 Mar 2020 20:17:39 +0000 Received: from XCH-RCD-002.cisco.com (xch-rcd-002.cisco.com [173.37.102.12]) by alln-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id 026KHdXg028871 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 6 Mar 2020 20:17:39 GMT Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-RCD-002.cisco.com (173.37.102.12) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 6 Mar 2020 14:17:39 -0600 Received: from xhs-rcd-001.cisco.com (173.37.227.246) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 6 Mar 2020 14:17:38 -0600 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Fri, 6 Mar 2020 14:17:38 -0600 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kQrZNdhlBgMQyNB36b1Or8bOf1ZXUZoW0kyowuq5TapAswnGhgEiyFqI9RRf6jHad9C0fd2/pS/NNmSs6Po0B1vAAqyHPyp3mzOoLB4w6M58+WjsPZpCoTSwjThDOmNjCxFTTdmPBTHdeTezKR09yJyYG5ACepmJC5hLNLr2SEPafNsOYI3k5nn+mAoUXRVaFxG2ZxXrl2wRJ0Jx6LEH3Ny7GjLvgy5WdyCiWWQ5IuiRFw2cDRULt2t3yM3sgrfM3AgWGdiU8wjUxog3IXO8ghcr+eqolrh6RXRSEWodERcvbZc3okU52aiAXD+Bd1bjwzmxt1eIYj79zqSS51e4aw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ms1/7up3MYD2kXjGHSqZSbKKw7vLvpK0fCthSmwf6+4=; b=hd52ppgCCwtHFeNJ7xBqerYVJBjmGIbW2kfoaskttMA3zlFSpjJYyR+nrSWLN0vSwd4AZF7WXBegHIsu8mGr1/YM+erHZvNrcIGsukHoQkwMesDJohFudZb73oG0OJ9AQXAm7dmx6s4OMS4c/hK127HOnhFxRlk2DCgizojVbQuWBxPhiKFUfzr2uspwOxXBMgxDdOYUNEVjpwnhSA3OJzxvxrTFuqRq2DHY83aIcD1+MvbHZjVjpkopHVF66GJv3enUkkYSdP24Zgg9VgnppqLp14PoThT4nNRR9b0l5MkkL4S4ia+2tSR3RMLr8gN+tDQTONqmg69qv0SzbwI4xg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ms1/7up3MYD2kXjGHSqZSbKKw7vLvpK0fCthSmwf6+4=; b=wLUv2O4cuwWs/b1WGY9U7Sx3ftyl1Nj0Rp3k+dL2FqoN0CilWKtROS5L9kfS4o/L/SZrpu8P3SmE61bSKQXXZ8bztpSyeiWgWZS4fVK3Kpo2PwX1jZATx/eOcgNzXETpEUiV1sBGwr8fzfoiwEG5ipXP8WpjJOxWacUs11HWgs8= Received: from MN2PR11MB3936.namprd11.prod.outlook.com (2603:10b6:208:13f::15) by MN2PR11MB3823.namprd11.prod.outlook.com (2603:10b6:208:f9::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2793.11; Fri, 6 Mar 2020 20:17:38 +0000 Received: from MN2PR11MB3936.namprd11.prod.outlook.com ([fe80::71a0:2f72:8146:9d8]) by MN2PR11MB3936.namprd11.prod.outlook.com ([fe80::71a0:2f72:8146:9d8%6]) with mapi id 15.20.2772.019; Fri, 6 Mar 2020 20:17:38 +0000 From: "Scott Fluhrer (sfluhrer)" To: Karthikeyan Bhargavan , Alexey Melnikov CC: "crypto-panel@irtf.org" Thread-Topic: [Crypto-panel] Request for review: draft-irtf-cfrg-randomness-improvements Thread-Index: AQHV897hwNWf+5+y5021R4+rBpxHuag7/gqAgAACruA= Date: Fri, 6 Mar 2020 20:17:37 +0000 Message-ID: References: <8290ee48-83f6-863c-c163-868251ea220b@isode.com> <8F8F5EC1-1F03-4FA0-82BB-780CF91B59B4@gmail.com> In-Reply-To: <8F8F5EC1-1F03-4FA0-82BB-780CF91B59B4@gmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=sfluhrer@cisco.com; x-originating-ip: [173.38.117.81] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: a33b5cf7-765e-4a93-ed82-08d7c20b6a5e x-ms-traffictypediagnostic: MN2PR11MB3823: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8273; x-forefront-prvs: 0334223192 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(366004)(39860400002)(346002)(376002)(396003)(189003)(199004)(33656002)(110136005)(81166006)(71200400001)(81156014)(4326008)(966005)(8936002)(7696005)(26005)(76116006)(4744005)(186003)(2906002)(9686003)(66946007)(5660300002)(55016002)(66446008)(66556008)(86362001)(64756008)(478600001)(8676002)(316002)(53546011)(66476007)(6506007)(52536014); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB3823; H:MN2PR11MB3936.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: iTHRJyjCEOYb6LgxXv2ZTm10O0dDfbOwwjpM1yDQ4nWsjxOXzkGLnLp46yqcv85wyu1wKF3KyUJ5yvD4W9QJcOUxD8ksCNcQ9C/Qg0t+ICYDAqFL4zJ7sgdlBPAklpeLqk7Ave00WkvlIHG7dK9//N1wyqwpk6ocDeQxnWxFqYTEP1H/5JmQBuze2VSk0cTEQ1WK7gLQ27uIlAtuTLNWp6jX4Hhq4A6ulR5kixUXQMVylsVaEYML65AF4vIFgBzOhI7o/tnee/aMXcCb+n0A23uOxsQhtfjqpa1wukfXihXHp2j3mfP9e6xsZ3Gj7XYH9z2GQRTBOnhFYv/uQY+mzRi+z0bP+lUBzLfMYw6IC2XbmeUFPOarG3nm/bjpwK9DNZMFrs/DMgN8Jv5L74p7ILoflI9TkBVnY868h7BXYWlhOpvOwvzzR5YAOH2YwJCxZFGRpSrr54xQtDmsKAR7K08BFCs4QxvbFDK7QJEaq2IUtahr+VbdHJhxBE9adbGCc0KNs+SsWnlmPlzvHWoYeg== x-ms-exchange-antispam-messagedata: hFSKbw4l4tiVY6G9+DbUr8l5Id6jCUo5jYd+YCJ+M7zKqxWuU969rIDZLnzDEqSprPnB6UmieHFZFX/luD1OjsMqBAHT92ApKY1BBJgPs50ev6EwZWDzOFkGFA+9ZsTaL+IRy0JfTdHNyBTOWIeEnw== x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-Network-Message-Id: a33b5cf7-765e-4a93-ed82-08d7c20b6a5e X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Mar 2020 20:17:37.8980 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: b23Lr/WB1A+X6tmg5b+mlNx+OKNykqmjM0mMpJovfIrXF09xUwihFBBiiyMcI6a0VeA8miLoXAnOGP+afVXNDg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3823 X-OriginatorOrg: cisco.com X-Outbound-SMTP-Client: 173.37.102.12, xch-rcd-002.cisco.com X-Outbound-Node: alln-core-9.cisco.com Archived-At: Subject: Re: [Crypto-panel] Request for review: draft-irtf-cfrg-randomness-improvements X-BeenThere: crypto-panel@irtf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Mar 2020 20:17:48 -0000 I'll go through it as well > -----Original Message----- > From: Crypto-panel On Behalf Of > Karthikeyan Bhargavan > Sent: Friday, March 06, 2020 3:08 PM > To: Alexey Melnikov > Cc: crypto-panel@irtf.org > Subject: Re: [Crypto-panel] Request for review: draft-irtf-cfrg-randomnes= s- > improvements >=20 > I can do a review as well. >=20 > > On 6 Mar 2020, at 18:44, Alexey Melnikov > wrote: > > > > Dear Crypto Panel members, > > > > I would like to request at least one review for this document: > improvements/> > > > > Thank you, > > > > Alexey > > > > _______________________________________________ > > Crypto-panel mailing list > > Crypto-panel@irtf.org > > https://www.irtf.org/mailman/listinfo/crypto-panel >=20 > _______________________________________________ > Crypto-panel mailing list > Crypto-panel@irtf.org > https://www.irtf.org/mailman/listinfo/crypto-panel From nobody Mon Mar 9 08:32:25 2020 Return-Path: X-Original-To: crypto-panel@ietfa.amsl.com Delivered-To: crypto-panel@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F392A3A129A for ; Mon, 9 Mar 2020 08:32:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.6 X-Spam-Level: X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=mKSeR2mN; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=tqqhKy5E Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w1Yg5P0TnYO5 for ; Mon, 9 Mar 2020 08:32:15 -0700 (PDT) Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 866D83A12C7 for ; Mon, 9 Mar 2020 08:32:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5396; q=dns/txt; s=iport; t=1583767935; x=1584977535; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=G1yHKv5sLSm9AiMYwXqOQklnhh15UDY8zv3cCx/1iyA=; b=mKSeR2mNYVhqyF3RAXnGPzpbbi24EQtqZjbvZg2KWJax0ptmyjYmafUo bNH9jMcMfs38fOU7dRXwq+xVHL7RLjTpjTV9c5NFA9fkTtxww3EeKk30Q Ng5rKAZB4XdbJFbMULHYmOGPci7qXDk7ITmquNho3ruyl3B+Hx05DOs+P c=; IronPort-PHdr: =?us-ascii?q?9a23=3AFwpYcRXqbsSmMgBqGHX6M8ZUoenV8LGuZFwc94?= =?us-ascii?q?YnhrRSc6+q45XlOgnF6O5wiEPSA9yJ8OpK3uzRta2oGXcN55qMqjgjSNRNTF?= =?us-ascii?q?dE7KdehAk8GIiAAEz/IuTtankhEsBfVEVo5VmwMFNeH4D1YFiB6nA=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CMAACaYGZe/4oNJK1mGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQEBAQEBEQEBAQEBAQEBAQEBgXuBVCknBWxYIAQLKgqHUQOKa4JfiWO?= =?us-ascii?q?OMoFCgRADVAkBAQEMAQEYCwoCBAEBg35FAoIOJDgTAgMBAQsBAQUBAQECAQU?= =?us-ascii?q?EbYVWDIVjAQEBAQMBARAoBgEBLAsBCwQCAQgRBAEBAR4QIQYLHQgCBAENBQg?= =?us-ascii?q?agwWCSgMuAQ6dIgKBOYhigieCfwEBBYFDQYMDDQuCDAMGgTiKaYFDGoFBP4E?= =?us-ascii?q?RR4JNPmsZAYEWSQEBAgEBgSc8g0GCLK9kRAqCPIdSil6EUps1RI4yiHyCMZA?= =?us-ascii?q?kAgQCBAUCDgEBBYFpIoFYcBU7gmxQGA2OHQsYgQQBAoJJhRSFQXSBKYxVAYE?= =?us-ascii?q?PAQE?= X-IronPort-AV: E=Sophos;i="5.70,533,1574121600"; d="scan'208";a="730779792" Received: from alln-core-5.cisco.com ([173.36.13.138]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 09 Mar 2020 15:32:14 +0000 Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by alln-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id 029FWErl030674 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 9 Mar 2020 15:32:14 GMT Received: from xhs-rtp-001.cisco.com (64.101.210.228) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 9 Mar 2020 10:32:14 -0500 Received: from xhs-aln-002.cisco.com (173.37.135.119) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 9 Mar 2020 11:32:12 -0400 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Mon, 9 Mar 2020 10:32:12 -0500 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=T0EBP5TQLqrftoJrG1lawQOL+4mRQRcaESw8pZTTwTnSrxxlx19Z3x13hSokGawFJS9lKv6rZzueAqmXTKXCe4r2dqDRkXk0V33ndaycwHx5oDRpnVIilCuYYs+S/f5Cw8mHjeeeRvxndM8nhkh6vZMo9FAyzl/41sCCSln50bapR0FUJiUwd2euAsekNpIQFBGrmxWCN/IsLDh50VzNLU9vHo6UeepWwqAzmzhGuFaxBw3pN3lavnp5CE0XJwvjICUerYs0CEicMz2HLTkHgF9pUqKDwChpV9n35XSrql5fndRtRFH+sjv4jwgGeTwkl/pKPctBW/+FmWVQiBrrrg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6BiJHQ44eJsloihdkDLCR9k/H+l6xvDQWWHxWL30xmY=; b=l5BED6HoXo0g/dGN8jo7JiiUwbAnZkHCw8Idxq07zQCg4C1jA5qjwRgFsp4GXguBki77Or5cOqfL4v6wVygrBVE11bCL74VZSwE6R+pRqeB2IMsR4rp/GrBqUDvSPdSJ6Ct1prlgagUJYJKM0oPl6DkeLFsnEcZYvH5Si+LmMG43+bfRtlXNFj1nyU9lFBXlHfD8C2OHuSqQStF3wuzmKMqw6nTvq2zxJcY5Ax0UvthPLJdUqUUncsWTpIjol68IgJZDHx2ZtRfWMbTpOhA0+XZXqIzAMCrqDGqvPr9MwwHYn47Jyr+7hlHkOSGEuK9D/zm+EgeckEr02zvPa9SExw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6BiJHQ44eJsloihdkDLCR9k/H+l6xvDQWWHxWL30xmY=; b=tqqhKy5Ebpji2QT+EzhKSvvGBO9UpKsKMVdPF7+u2Sm277gde06lbzubQfeO236BQDFEHUPjYfDZwyXaMwef9YkT1MWI/XIsZIOl9PR8PpPSTcScl/TR3XV/ypKr9TWQ9yWQ8+U51XH5aNJrIl0FGRuJXpN8IfBvEgf2DHJ9YyU= Received: from MN2PR11MB3936.namprd11.prod.outlook.com (2603:10b6:208:13f::15) by MN2PR11MB4350.namprd11.prod.outlook.com (2603:10b6:208:191::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2793.16; Mon, 9 Mar 2020 15:32:11 +0000 Received: from MN2PR11MB3936.namprd11.prod.outlook.com ([fe80::71a0:2f72:8146:9d8]) by MN2PR11MB3936.namprd11.prod.outlook.com ([fe80::71a0:2f72:8146:9d8%6]) with mapi id 15.20.2793.013; Mon, 9 Mar 2020 15:32:11 +0000 From: "Scott Fluhrer (sfluhrer)" To: "Scott Fluhrer (sfluhrer)" , Karthikeyan Bhargavan , Alexey Melnikov CC: "crypto-panel@irtf.org" Thread-Topic: [Crypto-panel] Request for review: draft-irtf-cfrg-randomness-improvements Thread-Index: AQHV897hwNWf+5+y5021R4+rBpxHuag7/gqAgAACruCABGTRUA== Date: Mon, 9 Mar 2020 15:32:11 +0000 Message-ID: References: <8290ee48-83f6-863c-c163-868251ea220b@isode.com> <8F8F5EC1-1F03-4FA0-82BB-780CF91B59B4@gmail.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=sfluhrer@cisco.com; x-originating-ip: [173.38.117.81] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 7c023cd0-60b2-438c-529a-08d7c43f0981 x-ms-traffictypediagnostic: MN2PR11MB4350: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-forefront-prvs: 0337AFFE9A x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(136003)(376002)(346002)(366004)(39860400002)(189003)(199004)(66446008)(4326008)(76116006)(478600001)(2906002)(71200400001)(64756008)(66556008)(66476007)(66946007)(52536014)(5660300002)(81166006)(8676002)(81156014)(8936002)(186003)(26005)(316002)(33656002)(110136005)(86362001)(7696005)(9686003)(53546011)(966005)(6506007)(55016002); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4350; H:MN2PR11MB3936.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: bqaoVF+DmCQtAplQOD4NCtTPPoLOFJxxmo91DNmmKR6SqEKYePpq9Ba4Mf2Qh57CrmKJQ4vvWjqY+/ctyI7yIhMtA0KRxv+tIPdlOWutmxZOrMe06l0a2lhmRmFVdMWFPCbCSN974EHtqB8OfufxvF8uG91eXIWRFup4Ci4rjY9XU6YIVYlHJC4K8tf79w3bA9jC213czh6ov/50lPVdGl7WE6x6RDSJjSBRQTM1ixPrY+alpn7x9YVAWKa6F357bZFxqmutpip0OW8+SOXMbqayB1PVS9DXX2H8QTkWPdBOSm5PFvDKUg59QfTaESI9y/aNl+gDMgDOzGIts/saWZ1MFylS8wn2mgzR0RVo/SZcohE+2tj6q1zBlIZgOw/IKWY9Eimq2EU/BWOgGnr0+r3gBmrRBmf3BjLwIObszfDyfElUPBEqplZBIE06MDhfE4qrqxKKDw2aQbpKmsrP1rJqiT29z1oVXHKb5LOzQKDBXB05fOChimLEdfwyWmLV25+o53jykhYtqh+RbA0NTA== x-ms-exchange-antispam-messagedata: BiGIryIq0LgdnEXkuA5V4UEqGjuWJ17SoAxMqKNoLoMoq8VdJdgugr0LOB8Sw8UE50sFtiC/URXdtE+M4GnZAxtWYGtoVQ3o09OtMlbaTQk8xxi1HReIeWQmneQy5l68iFUiTOptdiV50mQaRmRqyA== x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-Network-Message-Id: 7c023cd0-60b2-438c-529a-08d7c43f0981 X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Mar 2020 15:32:11.6759 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: TuFeNcVan0BqDVAUcLg6oBT303B6pF72bv+vUdItsKws6WP5+w7N1RSaPu8zu6k1/HrCf6skkcIra8qeMPyRzg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4350 X-OriginatorOrg: cisco.com X-Outbound-SMTP-Client: 173.36.7.11, xch-aln-001.cisco.com X-Outbound-Node: alln-core-5.cisco.com Archived-At: Subject: Re: [Crypto-panel] Request for review: draft-irtf-cfrg-randomness-improvements X-BeenThere: crypto-panel@irtf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Mar 2020 15:32:24 -0000 This draft looks quite good, congratulations to the authors. However, beca= use this review wouldn't feel complete unless I have some complaints, here = are some nits: Who is this draft targeted towards? I believe that, at some point, we'll n= eed an RFC detailed enough that we could give it to an implementor and be r= easonably confident that he'll implement something secure. Currently, this= isn't that - it leaves far too many options open for an implementor (who m= ay be somewhat ignorant of cryptography) to make bad choices. Things that should be specified (and we could allow a range of selections) - What is Extract. The draft gives as an example HKDF-Extract; with what = hash function? - What is L (the size of output of the Extract function)? - What is H? - What is Expand (HKDF-Expand?) Also, we might want to expand on the guidance relating to the generation of= tag2 - I would suggest that we should mandate (or, at least, strongly sugg= est) that it consist of a timestamp (if a real time clock is available) and= a counter (which is incremented on every invocation). One issue with the = current recommendation (needs to be unique for each combination of G(L), ta= g1 and sk values) is that might be difficult to ensure on a platform with n= o real time clock (and while this is not an ideal scenario, it will happen,= and we shouldn't tell the user "you have to do this" when it may be infeas= ible. The draft states that: We require that L >=3D n - L' for each value of tag2. Why is this requirement here? It would appear to me that, because tag2 is = a potentially public string, its length is not specifically relevant to the= security (as long as it is long enough that it never repeats). One can ce= rtainly conceive of badly chosen options (L=3D1, L' =3D 32, n no more than = 32) that is quite insecure but meets this criteria. =20 The draft states that: Sig MUST be a deterministic signature function, e.g., deterministic ECDSA [RFC6979], or use an independent (and completely reliable) entropy source ... if the signatures are probabilistic and use weak entropy, our construction does not help and the signatures are still vulnerable due to repeat randomness attacks. Why is this requirement here? I would disagree with the reasoning; if the = computation of Sig involves calls to a potentially weak RNG, it will still = generate a valid signature; and (assuming that the private key and the sign= ature scheme is secure), the attacker cannot guess any valid signature to a= message. If the concern is that a signature with a weak RNG might leak the private k= ey (e.g. ECDSA), then I would note that this draft mandates that the signat= ure not be leaked, and that it uses the hash of the signature (and the draf= t might want to give guidance that it's the hash that needs to be cached, a= nd that the signature should be discarded immediately after the hash has be= en computed). The document claims: the relatively inexpensive computational cost of HKDF dominates when comparing G' to G I don't believe that is quite as true as the document hopes. Most good CSR= NGs run considerably faster than the HKDF Extract/Expand pair; hence G' is = rather more expensive than the underlying G. One could state that the cost= of G' is generally considerably smaller than the protocol that's using G' = (e.g. the ECDH operation). In the tag1 section (in section 4), the document promises that section 5 wi= ll give additional advice on how some TLS protocol information could be use= d in generating a tag1 value. Section 5 doesn't give any such guidance. > -----Original Message----- > From: Crypto-panel On Behalf Of Scott > Fluhrer (sfluhrer) > Sent: Friday, March 06, 2020 3:18 PM > To: Karthikeyan Bhargavan ; Alexey > Melnikov > Cc: crypto-panel@irtf.org > Subject: Re: [Crypto-panel] Request for review: draft-irtf-cfrg-randomnes= s- > improvements >=20 > I'll go through it as well >=20 > > -----Original Message----- > > From: Crypto-panel On Behalf Of > > Karthikeyan Bhargavan > > Sent: Friday, March 06, 2020 3:08 PM > > To: Alexey Melnikov > > Cc: crypto-panel@irtf.org > > Subject: Re: [Crypto-panel] Request for review: > > draft-irtf-cfrg-randomness- improvements > > > > I can do a review as well. > > > > > On 6 Mar 2020, at 18:44, Alexey Melnikov > > wrote: > > > > > > Dear Crypto Panel members, > > > > > > I would like to request at least one review for this document: > > > improvements/> > > > > > > Thank you, > > > > > > Alexey > > > > > > _______________________________________________ > > > Crypto-panel mailing list > > > Crypto-panel@irtf.org > > > https://www.irtf.org/mailman/listinfo/crypto-panel > > > > _______________________________________________ > > Crypto-panel mailing list > > Crypto-panel@irtf.org > > https://www.irtf.org/mailman/listinfo/crypto-panel >=20 > _______________________________________________ > Crypto-panel mailing list > Crypto-panel@irtf.org > https://www.irtf.org/mailman/listinfo/crypto-panel From nobody Tue Mar 10 15:29:03 2020 Return-Path: X-Original-To: crypto-panel@ietfa.amsl.com Delivered-To: crypto-panel@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 798DF3A0755 for ; Tue, 10 Mar 2020 15:28:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=callas.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aXRRHi1pFiiX for ; Tue, 10 Mar 2020 15:28:52 -0700 (PDT) Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A78B3A0442 for ; Tue, 10 Mar 2020 15:28:52 -0700 (PDT) Received: by mail-pl1-x62f.google.com with SMTP id t14so93759plr.8 for ; Tue, 10 Mar 2020 15:28:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=callas.org; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Opcbet6lrUNJDJLs4/LDWzhNsddw77PsJmDhfodKUtE=; b=La5uTP3YhLaB7f+70vS0rnXLVaNAy1HehbDdwhF3Iqmo652y3Xv2yhwy/Qu29RRUsV tMWS/vgw/xhj6taMmu9JeuQ2YNN6n7UXNB1a4hQFpQ79U0MPSZF4ylernGg8y4UFBFqq LbIrKMWQkh071FvqvxQiDxYivOVaZsonCJHU5tbFvZJxOLDgFq24++9CAWdBozXaJz1o bAm1pIt/BxKZ/4AUQeufWM6NYo+qFuX1YMn/tqzkx4Dt2W57qW2Pah3IL1A8tWPbd/rb Wqv3RzyRfj2QzGuxxynvG6W+wRyUsZDHcr8qBw1s1POp5K88pRUkPYdclNbfcKEi8Ltj uXHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Opcbet6lrUNJDJLs4/LDWzhNsddw77PsJmDhfodKUtE=; b=bWPhERQAtSWWN2VkrjzJLJHktr14VA/sAxThIlbtTBiH8KJkTpse9zNpTSOVmKwjTk e7Rsf+Vpl5rnz/DtP0PCkFAIkcbEE6a91dRVPVWptLSPgkXW9+ZTKknxu10uI3bSeyUt 3f6K9C7bb1KDoYm0hbUwgqv9tpqKYF9jsZ7u5rXREHrkdOXfzL+1zi+OyftBx1PuJB5o mlT6aQIiKVMEfkMzvoGDTurdmIlIBtYMUyKxKGqgd9be2awcL/cOsu/aFK7iQV34xOE0 1AM/wm7Ye0OlE3C8kyw612gDS2x2Wug/RUuI/RvsFdUKzFyJYdHZa7WGTWrA87qZAjB9 lPrQ== X-Gm-Message-State: ANhLgQ3rwLgr48Y/snkTiwyT3sXXCWSFKw3LfD5e31Hj3jjzoe+WMuOJ tHsSiQ+IphmsDCRnancO23NQpqaBtmY1RQ== X-Google-Smtp-Source: ADFU+vsrhaBbSAHccXGnVIwbVye1VBP28C5uEQRkNlVYcID+t2661V3xqmPta9FyiszzEoSu1pih1g== X-Received: by 2002:a17:90a:4d43:: with SMTP id l3mr132886pjh.165.1583879331247; Tue, 10 Mar 2020 15:28:51 -0700 (PDT) Received: from [192.168.7.69] (thing1.merrymeet.com. [173.164.244.99]) by smtp.gmail.com with ESMTPSA id x15sm3459021pfq.107.2020.03.10.15.28.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 10 Mar 2020 15:28:50 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\)) From: Jon Callas In-Reply-To: Date: Tue, 10 Mar 2020 15:28:49 -0700 Cc: Jon Callas Content-Transfer-Encoding: quoted-printable Message-Id: References: <8290ee48-83f6-863c-c163-868251ea220b@isode.com> <8F8F5EC1-1F03-4FA0-82BB-780CF91B59B4@gmail.com> To: "crypto-panel@irtf.org" X-Mailer: Apple Mail (2.3608.60.0.2.5) Archived-At: Subject: Re: [Crypto-panel] Request for review: draft-irtf-cfrg-randomness-improvements X-BeenThere: crypto-panel@irtf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Mar 2020 22:29:01 -0000 I also read through it and agree with others -- it's a nice paper. I = think there are a number of things to improve it, too, and I'm going to = keep from repeating others. * It could use an introduction that's a somewhat an expansion of the = abstract. It's hard to recognize what the RFC is trying to say = otherwise. It took me three readings, and I only really figured out = what's going on while writing up these comments. This is a great crypto = engineering paper, spliced into an RFC template. As an RFC, it ought to = say some things actionable. Most people who read RFCs are = quasi-knowledgeable implementers. It's always good to spell things out = for them. I'm a knowledgable implementer and I like things spelled out. * Terms should be used precisely. For example, "CSPRNG" means = "Cryptographically Strong Pseudo-Random Number Generator." If you have a = CSPRNG that is not cryptographically strong, then say "PRNG." The term = CSPRNG should only be used when the PRNG is CS. The abstract defines it, = putting scare quotes around "cryptographically strong" with the result = being that the reader has to think about what the term means every time = it's used. In following discussion, I'm using "CSPRNG" to mean something = actually cryptographically secure; "PRNG" to mean mathematically = pseudo-random but not cryptographically secure; and "RNG" to mean an = allegedly random generator such as one that is statistically random but = utterly guessable. * Abstract says: "This improves randomness from broken or otherwise = subverted CSPRNGs." I suggest: "This improves the security of a protocol = when it uses a broken or subverted PRNG." My rationale is that = "security" is a better term here than "randomness" and that there are a = whole lot of broken RNGs and relatively few subverted ones; broken is = not a subset of subverted. Moreover, there are problems that are neither = subversion nor a broken RNG that this can help. For example, a state = compromise of a CSPRNG is neither broken as a CSPRNG nor is it subverted = in the sense that DualEC DRBG was subverted. * I'd like to see some general cases of brokenness. I can think of three = general cases. a) A mathematically pseudo random generator with known state. For = example, AES in counter mode with a fixed key of zero and a naive = counter (0, 1, 2 ...). Looking at the output, it's secure, but if you = know the state, it's not. This models state compromises, VM restarts = that reuse state, and many other issues that are otherwise-good yet = compromised RNGs.=20 The Debian bug falls in here, because it was a badly seeded, but = mathematically good RNG. We could also put in here controversies about = the Intel RDRAND instruction, which many people believe is broken or = subverted despite being apparently a CSPRNG. b) An RNG with non-random output. For example, the octets 0, 1, 2, ... = 255 repeated. The DualEC DRBG, whose state could be learned if an = eavesdropper could see small bits of raw output falls into this case. c) A totally broken bit string. For example a string of all zero bits or = all one bits. In all of these cases, the technique enhances the security of the input = RNG such that breaking the RNG output is equivalent to breaking the = underlying secret key. This is really nice and the whole reason to use = this technique.=20 I think this covers the brokenness that the draft does in a slightly = more rigorous and general form. * In the introduction, it seems to be a little too TLS-specific. TLS is = a marvelous example of a protocol, and the specific one the authors are = addressing, but the technique is good in many other places.=20 * I think there's another broad use case that can be added. For example, = get a sample from the main RNG, do this protection on the sample, and = then use that to seed some suitable DRBG and use it in a subsystem. This = would make a nice Section 6 after the TLS example that's more = generalized. I think two or three paragraphs is all that is needed. Summing up, I like this. Various times in the past, I've done something = ad hoc that was similar to this, kinda the way NAXOS did, and having = this be a documented implementation trick is a good thing. Jon From nobody Sun Mar 15 14:20:18 2020 Return-Path: X-Original-To: crypto-panel@ietfa.amsl.com Delivered-To: crypto-panel@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B46683A1C7A for ; Sun, 15 Mar 2020 14:20:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qkcQtm6hTedV for ; Sun, 15 Mar 2020 14:20:14 -0700 (PDT) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C7583A1C79 for ; Sun, 15 Mar 2020 14:20:14 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 89DAF300B27 for ; Sun, 15 Mar 2020 17:20:11 -0400 (EDT) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Wo2eLK_EMOgW for ; Sun, 15 Mar 2020 17:20:10 -0400 (EDT) Received: from a860b60074bd.fios-router.home (pool-72-66-113-56.washdc.fios.verizon.net [72.66.113.56]) by mail.smeinc.net (Postfix) with ESMTPSA id 43DE1300A20 for ; Sun, 15 Mar 2020 17:20:10 -0400 (EDT) From: Russ Housley Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) Date: Sun, 15 Mar 2020 17:20:11 -0400 References: <8290ee48-83f6-863c-c163-868251ea220b@isode.com> <8F8F5EC1-1F03-4FA0-82BB-780CF91B59B4@gmail.com> To: "crypto-panel@irtf.org" In-Reply-To: Message-Id: <346D9EEE-FD9D-4240-BCDE-DD06BC2ED24D@vigilsec.com> X-Mailer: Apple Mail (2.3445.104.11) Archived-At: Subject: Re: [Crypto-panel] Request for review: draft-irtf-cfrg-randomness-improvements X-BeenThere: crypto-panel@irtf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Mar 2020 21:20:16 -0000 Document: draft-irtf-cfrg-randomness-improvements-10 Reviewer: Russ Housley Review Date: 2020-03-15 The CFRG Chairs asked the Crypto Panel to review this document. I am providing one review. There may be others. Summary: A technique for improving the security of a random number generator is provided. Nice work, but some improvements in the document are desirable before publication as an Informational RFC. Major Concerns: Section 3 requires that "Sig MUST be a deterministic signature function". This is inconsistent with the third paragraph in Section 9. I think that any "good" signature algorithm with a "properly" generate private key should work out fine. So, please remove the requirement for a deterministic signature function. Section 4 says: "See Section 5 for example protocol information that can be used in the context of TLS 1.3." I did not find that in Section 5 or anywhere else. Section 9: Please inclue the rationale for this requirement that L >= n - L' for each value of tag2. Minor Concerns: Abstract: I think it is too long. I think the examples of broken random sources can be moved to the Introduction. Abstract and Intoduction: Why call out TLS? TLS, IPsec, S/MIME, PGP, and every other security protocol relies upon random numbers. Section 4: A real-time clock should be listed as a possible source for a portion of the tag2 value. Nits: I do not think the assignment of "Adv" to the adversary helps explain the goals. I think plain English is fine here. I suggest: Section 1: s/An adversary Adv with /An adversary with / Section 1: s/by adversary Adv,/by an adversary,/ Section 1: s/unknown to Adv./unknown to the adversary./ Suggestion: Appendix A of [SecAnalysis] required an implementation of the algorithm, with reasonable choices for all of the parameters. I think it would be useful to put that pseudo-code in an Appendix of this document along with a test vector.