On Mon, Jul 24, 2017 at 8:29 AM, Watson Ladd <watsonbl...@gmail.com> wrote:
> Don't use bad prngs. And don't buy products from vendors who ship back > doors and refuse to come completely clean when confronted. > Just yesterday DJB posted a blog post about AES-CTR-DRBG, one of the most widely-used PRNGs, and he points out a security optimization that can be applied to it, one that escaped years of review. The optimization only applies if you're generating large chunks of random data, so doesn't apply to TLS, where the chunks are small; but it's still interesting that we're still finding improvements and problems in this area. The PRNG sits at the very bottom of the security of TLS, and biases there have the potential to break everything, including back in time; they could defeat PFS and uncloak years worth of data. We don't always know what's bad t the time that we are using it; e.g. arc4random was considered fine for years. I think it's wise to take some measures to handle the "Well, if it were broken, how would we add defense in depth ...". -- Colm
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
