Re: [Cfrg] NIST crypto group and HKDF (and therefore TLS 1.3)
Phillip Hallam-Baker <phill@hallambaker.com> Tue, 12 May 2020 05:49 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E830E3A07AD; Mon, 11 May 2020 22:49:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.395
X-Spam-Level:
X-Spam-Status: No, score=-1.395 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YT_c8dWXdrPb; Mon, 11 May 2020 22:49:33 -0700 (PDT)
Received: from mail-ot1-f48.google.com (mail-ot1-f48.google.com [209.85.210.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 301FC3A07AE; Mon, 11 May 2020 22:49:25 -0700 (PDT)
Received: by mail-ot1-f48.google.com with SMTP id m18so9543302otq.9; Mon, 11 May 2020 22:49:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=04Jid3Im4P3bKWnr0KzCjnbQ9d1FHndGfy7Wzie6i/Q=; b=iXJEV8fnxrFeTY9OOCxwH4vvOMQSHU4WQzfGxA5laDtvHGUesLVrYfFDUAGr/7z8SF Ze/4syPa4lU9BiFC9H3RBodsA93hZIYJThr8atNffXuWzGc4igMYhPc9uWBg6EE2qsg/ sWd4CU54QvG+tu3bExU7r+POFCDARvkko567wKavHayCL7LUL5kfLYN7wfEvyOb+Pl3X SVpXEFoOl3nfea/ZeUpbuLK3gTu/qvGwhLoJPCxDP9ESBkxXQK59MIpTUNTDHsLxxe9v P2GoHaxCt+g90S35oHfn8G3tYiit1rinPOIDbdqJV/XD7BORafX+GV152rRy9dccT74A 2Rxg==
X-Gm-Message-State: AGi0PuYUd+Wx5quy9288hi83dP1pnsypX3pD6lpzotQvxR6Dscfj+e0z kXzFXZ4/vAuWXAOL7p4NFNIAgcYJLJMnd6x0v1s=
X-Google-Smtp-Source: APiQypJJeduBnxRhuUfpKt9GOscG4ATSTtsVvAR6ZmT5MlZ0wxuExSf79FWSKVoIJHSN+MaFKrBRgFgxBtwuD2oiUVo=
X-Received: by 2002:a05:6830:30aa:: with SMTP id g10mr13836907ots.124.1589262564232; Mon, 11 May 2020 22:49:24 -0700 (PDT)
MIME-Version: 1.0
References: <07D37E65-0951-49BB-B86E-BD3167ADB352@akamai.com> <BY5PR09MB4755E58AF9CDF696C0E7F649F3A10@BY5PR09MB4755.namprd09.prod.outlook.com> <CAMm+LwiPZm-sC0-pi+3gNb6BvSPw475j89oFh9sOBJioLdkyxw@mail.gmail.com> <CADi0yUOgWN4UR2D1AbSEpo4ZiiJQysy=b1_WTGR6RiFuqRftTQ@mail.gmail.com>
In-Reply-To: <CADi0yUOgWN4UR2D1AbSEpo4ZiiJQysy=b1_WTGR6RiFuqRftTQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Tue, 12 May 2020 01:49:13 -0400
Message-ID: <CAMm+LwhUiv44zHrh8rUrcGHmTSA6ZYt9+t3WWU0xx4GeB-oMHQ@mail.gmail.com>
To: Hugo Krawczyk <hugo@ee.technion.ac.il>
Cc: "Dang, Quynh H. (Fed)" <quynh.dang=40nist.gov@dmarc.ietf.org>, "cfrg@ietf.org" <cfrg@ietf.org>, "tls@ietf.org" <tls@ietf.org>, "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="00000000000098bf9c05a56d0634"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/71H1ScuuSF9cy3HodVtsr0Qfwus>
Subject: Re: [Cfrg] NIST crypto group and HKDF (and therefore TLS 1.3)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2020 05:49:35 -0000
On Mon, May 11, 2020 at 4:36 PM Hugo Krawczyk <hugo@ee.technion.ac.il> wrote: > There is no flaw if you use HMAC and HKDF as intended. See details below. > One time pads aren't flawed if you use them right. When they become a two time pad, there is a problem. My point is that if we are developing schemes that are supposed to be used as utility building blocks, we need to consider all the ways they might be used and not just limit ourselves to the ones we expect. That was the argument made for defining authenticated encryption modes, it holds here as well. > The bottom line advise is: If you are using related (not random) salt > values in HKDF, you are probably using it with domain separation > functionality. In HKDF, domain separation is enforced via the info field > not the salt. Read the HKDF RFC and paper for background and rationale. > I am already using the info field for domain separation. I use info to generate separate keys for encryption, authentication, any IVs etc. by concatenating the IANA protocol name and the encryption function. So I don't want to put any more in there. It is easy enough to fix if you are aware of it. I noticed the issue while I was implementing HMAC by hand. But the person who is using the function using a library call (i.e. myself five years from now) might not be aware. Saying 'read my paper' really isn't an argument. I know the design rationale. I am saying it is the wrong one for the future. And regardless, I don't see mention of the issue in section 4.2 of the paper you cite nor is there mention of the issue in RFC 2104. If I have to go hunting to find security issues with a standard, that is a problem in itself. BTW, the reason it came up with DARE was an attempt to address the problem of 'encrypting the subject header' and other metadata separately from the content data. But under the same key. Bearing in mind that we want to be able to encrypt multiple data items under a single key exchange. So starting from the result of the key agreement, I add in a per envelope salt which is typically 128 bits. That allows for erasure of the message by overwriting the salt value. The main data content is encrypted under a KDF with the IKM and envelope salt. If additional encrypted data sequences are required, they are encrypted under the IKM, salt and an additional counter. Now I can fix my designs, but others won't. Considering the EDS counter to be an extension to the key led to the unexpected result that the EDS and content were encrypted with the same key. Now, it is arguably better considered to be a part of the salt which is where I think the current code is (have to check). But my general point stands, this should be a utility function but the Feb 1997 spec does not meet our standards today.
- [Cfrg] NIST crypto group and HKDF (and therefore … Salz, Rich
- Re: [Cfrg] NIST crypto group and HKDF (and theref… Dan Brown
- Re: [Cfrg] NIST crypto group and HKDF (and theref… Salz, Rich
- Re: [Cfrg] NIST crypto group and HKDF (and theref… Dan Brown
- Re: [Cfrg] NIST crypto group and HKDF (and theref… John Bradley
- Re: [Cfrg] NIST crypto group and HKDF (and theref… Yevgeniy Dodis
- Re: [Cfrg] [TLS] NIST crypto group and HKDF (and … Salz, Rich
- Re: [Cfrg] [TLS] NIST crypto group and HKDF (and … Watson Ladd
- Re: [Cfrg] [TLS] NIST crypto group and HKDF (and … Sean Turner
- Re: [Cfrg] NIST crypto group and HKDF (and theref… Dang, Quynh H. (Fed)
- Re: [Cfrg] NIST crypto group and HKDF (and theref… Phillip Hallam-Baker
- Re: [Cfrg] NIST crypto group and HKDF (and theref… Hugo Krawczyk
- Re: [Cfrg] NIST crypto group and HKDF (and theref… Hugo Krawczyk
- Re: [Cfrg] NIST crypto group and HKDF (and theref… Phillip Hallam-Baker
- Re: [Cfrg] NIST crypto group and HKDF (and theref… "Torsten Schütze"
- Re: [Cfrg] NIST crypto group and HKDF (and theref… Dang, Quynh H. (Fed)
- Re: [Cfrg] NIST crypto group and HKDF (and theref… "Torsten Schütze"
- Re: [Cfrg] [TLS] NIST crypto group and HKDF (and … Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] [TLS] NIST crypto group and HKDF (and … Dan Brown
- Re: [Cfrg] [TLS] NIST crypto group and HKDF (and … Phillip Hallam-Baker
- Re: [Cfrg] [TLS] NIST crypto group and HKDF (and … Dang, Quynh H. (Fed)
- Re: [Cfrg] [TLS] NIST crypto group and HKDF (and … Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] [TLS] NIST crypto group and HKDF (and … Hugo Krawczyk
- Re: [Cfrg] [TLS] NIST crypto group and HKDF (and … Hugo Krawczyk
- Re: [Cfrg] [TLS] NIST crypto group and HKDF (and … Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] [TLS] NIST crypto group and HKDF (and … Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] [TLS] NIST crypto group and HKDF (and … Dang, Quynh H. (Fed)
- Re: [Cfrg] NIST crypto group and HKDF (and theref… Dang, Quynh H. (Fed)
- Re: [Cfrg] [TLS] NIST crypto group and HKDF (and … Blumenthal, Uri - 0553 - MITLL