- From: Bennet Yee <bsy@cs.ucsd.edu>
- Date: Thu, 25 Apr 1996 08:10:29 -0700
- To: ietf-tls@w3.org
I think we (myself included) were confusing two issues. (1) The use of a one-second resolution timestamp as a somewhat random nonce in a protocol (e.g., SSLv3), and (2) the amount of entropy available from a clock for use in crytographically secure pseudo-random number (CSPRNG) generator seeding. My mistake was in assuming the one-second resolution (as from SSLv3) also applied in estimating the available entropy. With PCs the architecture of which has been determine by the DOS traps' semantics, the hardware clock is going to have a resolution of 1/100th of a second, and this is the resolution with which a CSPRNG seeding function may measure. (Workstations vary, of course, but typically have at least that resolution.) I am still not assured, however, that the estimated 3 bits of entropy is self-refreshing; nor am I convinced that systems, whether Unix or Windows or whatever OS, wouldn't leak the (more precise) time value through other means anyway. Other values such as processor counters (Alpha's cycle counter, Pentium's processor statistics counters, etc) are likely to be a much richer source of entropy, since these values are much less likely to be revealed to a network-based adversary as part of normal operation. Phil argued that the time value's use in SSLv3 is not so much for a true nonce but just as a counter that is unlikely to repeat. This is a much weaker property on which to base a protocol: unlike nonces, such a counter is predictable. My rule of thumb is that security can not derive from a predictable counter in this way unless the source of the counter value somehow validates it (e.g., signs it -- and even then it's replayable), but I haven't studied how it's used in the original SSLv3 protocol carefully. Time to kill a few more trees. (Sorry about resending a dup msg earlier -- I had assumed that email that I send to the list would also be sent back to me since I am a member of the mailing list [which would also serve as an ack, much as Return-Receipt-To would.]) -bsy -------- Bennet S. Yee Phone: +1 619 534 4614 Email: bsy@cs.ucsd.edu Web: http://www-cse.ucsd.edu/users/bsy/ USPS: Dept of Comp Sci and Eng, 0114, UC San Diego, La Jolla, CA 92093-0114
Received on Thursday, 25 April 1996 11:10:45 UTC