1

RFC 5246 Section 7.4.1.2 states that the 32 bytes of random required in the Client and Server Hello messages should be 4 bytes of time and 28 bytes of random.

  • Why can't it be 32 bytes of random?
  • What is the purpose of including time value in it?

The Spec also says that clocks need not be set correctly for the TLS protocol and as we can this time value is not used for any other special purpose and the entire random value (full 32 bytes) is as such used for Master Secret Derivation.

  The ClientHello message includes a random structure, which is used
  later in the protocol.

     struct {
         uint32 gmt_unix_time;
         opaque random_bytes[28];
     } Random;

  gmt_unix_time
     The current time and date in standard UNIX 32-bit format
     (seconds since the midnight starting Jan 1, 1970, UTC, ignoring
     leap seconds) according to the sender's internal clock.  Clocks
     are not required to be set correctly by the basic TLS protocol;
     higher-level or application protocols may define additional
     requirements.  Note that, for historical reasons, the data
     element is named using GMT, the predecessor of the current
     worldwide time base, UTC.

  random_bytes
     28 bytes generated by a secure random number generator.
Jay
  • 525
  • 6
  • 15

1 Answers1

1

I'm not a pro nor am I working with this but I assume it might be something with a duplicate.

I mean if you just use 32 Bytes of random data the chance increases with time that you get the same random data.

But if you use 28 bytes of random data and 4 bytes of time the chance that someone gets the same 28 random bytes at the same time you get your 28 random bytes.

If im wrong please correct me since this is a pretty interesting question.

Lexu
  • 936
  • 1
  • 7
  • 14