IETF Logo Mail Archive

Re: [Cfrg] TLS PRF security proof?

Andy Lutomirski <luto@amacapital.net> Wed, 09 July 2014 15:18 UTC

Return-Path: <luto@amacapital.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90ADE1A0AC7 for <cfrg@ietfa.amsl.com>; Wed, 9 Jul 2014 08:18:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 41j1ValWSEyG for <cfrg@ietfa.amsl.com>; Wed, 9 Jul 2014 08:18:36 -0700 (PDT)
Received: from mail-la0-f42.google.com (mail-la0-f42.google.com [209.85.215.42]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F061F1A03E3 for <cfrg@irtf.org>; Wed, 9 Jul 2014 08:18:35 -0700 (PDT)
Received: by mail-la0-f42.google.com with SMTP id pn19so5200627lab.1 for <cfrg@irtf.org>; Wed, 09 Jul 2014 08:18:34 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=1O50FkKPemG3qhqs72rrmrx7JcbaIU9m8ROuvPt8/3A=; b=JsvL8YAmlcVrIZLkcPriKsqe/JP4IsvO0xZdIiJmowDpYIkPUi+d2djuFnZ/629kCu faqMOULRRwczXpnL9G105Uc0uzXAhRHiwVvL9w6T/GU63H5gQKxNuCHzCtQ9e7CCrFJv tkRPMfSNDqdHUvrN/nv8Rj0ZwVnLHpVF+AVFJk1N9U8fId4gOii8h3Sk8R1+6HE4tSUJ Z3iKLIGRiF2PO7l62IkR1F3bNnyfZHs0Lsrv89GzdTEYco/QsPM019G/7x09mPSD8Jfe RtFMbL3nESV6CvTGVzgwOg5ciNlTl8qDvm6abv+2EvQRrz1byiStQuXeV4km3aZ3wvP4 pGcQ==
X-Gm-Message-State: ALoCoQkEb0YvQu8cNbsJm+zLffYhtg2oWupVZRQvRb9G8AC73k59VRtzw0tzrJz/N/kA9q189LK6
X-Received: by 10.152.180.168 with SMTP id dp8mr33719444lac.11.1404919114068; Wed, 09 Jul 2014 08:18:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.152.108.130 with HTTP; Wed, 9 Jul 2014 08:18:13 -0700 (PDT)
In-Reply-To: <20140709125829.22319253.16811.16396@certicom.com>
References: <20140709125829.22319253.16811.16396@certicom.com>
From: Andy Lutomirski <luto@amacapital.net>
Date: Wed, 09 Jul 2014 08:18:13 -0700
Message-ID: <CALCETrVG9Ltf=9x64mOScorLCUPZNtr1XF6rkfpgzT2GDiwi+g@mail.gmail.com>
To: Dan Brown <dbrown@certicom.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/Hg5F0ZkY6lS8rbyOeRThbDEU6bI
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] TLS PRF security proof?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jul 2014 15:18:38 -0000

On Wed, Jul 9, 2014 at 5:58 AM, Dan Brown <dbrown@certicom.com> wrote:
> ‎TLS has been asking for CFRG input on curves, so maybe TLS is now more open to a suggestion like HKDF for future updates.
>
> Furthermore, the latest TLS 1.3 draft makes a point of lacking a security analysis: thus my question to this list. (Not to the TLS list, because of the research nature of the question. )
>
> I'll ask the converse question: besides provable security, what advantage would HKDF have over TLS PRF? Eg, does HKDF fare better than TLS PRF under some disastrous HMAC failure? In other words, if proofs cover the sufficient conditions, what about the necessary conditions? Does the HKDF RFC answer all this already?

I can't speak for the TLS WG, but from my own perspective, I have
three problems with HDKF:

1. HKDF is parametrized by a hash.  What hash should people use?
(Hence my suggestion of using combiners -- changing the PRF in an
existing protocol is a real PITA and might not even be possible
without introducing security holes.)

2. The RFC didn't make the security properties clear to me.  For
example, protocols should stick nonces into the salt.  Oh, wait, they
shouldn't stick nonces into the salt without care.  Can I use multiple
"info" values to safely extract key material and publish it?

3. (Only relevant to hashes using MD construction) My understanding of
HMAC is that it's secure against generic attacks on MD hashes if the
key is secret and unpredictable.  HKDF doesn't necessarily use a
secret, unpredictable key for HMAC.  Is HKDF-SHA-1 insecure as a
result?  What about HKDF-SHA-512 against an adversary with unlimited
precomputation power?


--Andy

v2.23.0 | Report a Bug | By Email