Hello,
The issue with dtls_prng() is indeed very serious, as the current implementation will generate very weak ECDSA keys. Effective Entropy of the ECDSA key is in the order of 32 bit keyspace, if I am not mistaken. The reason is simple: rand()
has only 2^32 possible states and that translates into 2^32 possible key sequences from default dtls_prng(). The rand() state can be found simply by iterating the state space and checking against some known ECDSA key.
Oh, it is even worse, because only a subset of the dtls_prng() sequences are valid ECDSA keys…
So, if tinydtls is used in your project not just as a marketing tool, make sure dtls_prng() has a cryptographically strong implementation.
Please correct me if I am wrong, but that is how it looks like to me.
Kind regards
Frank Gerlach
void
dtls_ecdsa_generate_key(unsigned char *priv_key,
unsigned char *pub_key_x,
unsigned char *pub_key_y,
size_t key_size) {
uint32_t priv[8];
uint32_t pub_x[8];
uint32_t pub_y[8];
do {
dtls_prng((unsigned char *)priv, key_size);
} while (!ecc_is_valid_key(priv));
ecc_gen_pub_key(priv, pub_x, pub_y);
dtls_ec_key_from_uint32(priv, key_size, priv_key);
dtls_ec_key_from_uint32(pub_x, key_size, pub_key_x);
dtls_ec_key_from_uint32(pub_y, key_size, pub_key_y);
}
Frank Gerlach
Senior Software Engineer
Office: +375
17 389 0100
x 23178
Cell: +375
29 877 4976
Email: frank_gerlach@xxxxxxxx
Minsk, Belarus (GMT+3)
epam.com
CONFIDENTIALITY CAUTION AND DISCLAIMER
This message is intended only for the use of the individual(s) or entity(ies) to which it is addressed and contains information that is legally privileged and confidential. If you are not the intended recipient, or the person responsible for delivering the
message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. All unintended recipients are obliged to delete this message and destroy any printed copies.