W3C home > Mailing lists > Public > ietf-tls@w3.org > April to June 1996

time as a source of randomness

From: Bennet Yee <bsy@cs.ucsd.edu>
Date: Thu, 25 Apr 1996 08:10:29 -0700
Message-Id: <199604251510.IAA29498@work.ucsd.edu>
To: ietf-tls@w3.org

I think we (myself included) were confusing two issues.  (1) The use
of a one-second resolution timestamp as a somewhat random nonce in a
protocol (e.g., SSLv3), and (2) the amount of entropy available from a
clock for use in crytographically secure pseudo-random number (CSPRNG)
generator seeding.

My mistake was in assuming the one-second resolution (as from SSLv3)
also applied in estimating the available entropy.  With PCs the
architecture of which has been determine by the DOS traps' semantics,
the hardware clock is going to have a resolution of 1/100th of a
second, and this is the resolution with which a CSPRNG seeding
function may measure.  (Workstations vary, of course, but typically
have at least that resolution.)  I am still not assured, however, that
the estimated 3 bits of entropy is self-refreshing; nor am I convinced
that systems, whether Unix or Windows or whatever OS, wouldn't leak
the (more precise) time value through other means anyway.  Other
values such as processor counters (Alpha's cycle counter, Pentium's
processor statistics counters, etc) are likely to be a much richer
source of entropy, since these values are much less likely to be
revealed to a network-based adversary as part of normal operation.

Phil argued that the time value's use in SSLv3 is not so much for a
true nonce but just as a counter that is unlikely to repeat.  This is
a much weaker property on which to base a protocol: unlike nonces,
such a counter is predictable.  My rule of thumb is that security can
not derive from a predictable counter in this way unless the source of
the counter value somehow validates it (e.g., signs it -- and even
then it's replayable), but I haven't studied how it's used in the
original SSLv3 protocol carefully.  Time to kill a few more trees.

(Sorry about resending a dup msg earlier -- I had assumed that email
that I send to the list would also be sent back to me since I am a
member of the mailing list [which would also serve as an ack, much as
Return-Receipt-To would.])


Bennet S. Yee		Phone: +1 619 534 4614	    Email: bsy@cs.ucsd.edu

Web:	http://www-cse.ucsd.edu/users/bsy/
USPS:	Dept of Comp Sci and Eng, 0114, UC San Diego, La Jolla, CA 92093-0114
Received on Thursday, 25 April 1996 11:10:45 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:01:58 UTC