Kleptography in Authentication Protocols: Why is it Still Possible?

Network authentication frequently relies on nonces, and even widely deployed protocols still rely on random nonces, although they might enable kleptography attacks. Notably, for TLS a kleptography-based covert channel has been published, and despite a proposal to cure this weakness via controlled randomness including backward compatibility, the protocol description is not updated. We investigate if lack of bandwidth, i.e., lack of applicability, could be a reason not to care for such an update. Moreover, we give examples of other authentication protocols that might suffer from a similar weakness, and that possibly might profit from a similar cure, thus indicating necessity of further research.