Re: [Cfrg] TLS PRF security proof?
Andy Lutomirski <luto@amacapital.net> Wed, 09 July 2014 15:18 UTC
Return-Path: <luto@amacapital.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90ADE1A0AC7 for <cfrg@ietfa.amsl.com>; Wed, 9 Jul 2014 08:18:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 41j1ValWSEyG for <cfrg@ietfa.amsl.com>; Wed, 9 Jul 2014 08:18:36 -0700 (PDT)
Received: from mail-la0-f42.google.com (mail-la0-f42.google.com [209.85.215.42]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F061F1A03E3 for <cfrg@irtf.org>; Wed, 9 Jul 2014 08:18:35 -0700 (PDT)
Received: by mail-la0-f42.google.com with SMTP id pn19so5200627lab.1 for <cfrg@irtf.org>; Wed, 09 Jul 2014 08:18:34 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=1O50FkKPemG3qhqs72rrmrx7JcbaIU9m8ROuvPt8/3A=; b=JsvL8YAmlcVrIZLkcPriKsqe/JP4IsvO0xZdIiJmowDpYIkPUi+d2djuFnZ/629kCu faqMOULRRwczXpnL9G105Uc0uzXAhRHiwVvL9w6T/GU63H5gQKxNuCHzCtQ9e7CCrFJv tkRPMfSNDqdHUvrN/nv8Rj0ZwVnLHpVF+AVFJk1N9U8fId4gOii8h3Sk8R1+6HE4tSUJ Z3iKLIGRiF2PO7l62IkR1F3bNnyfZHs0Lsrv89GzdTEYco/QsPM019G/7x09mPSD8Jfe RtFMbL3nESV6CvTGVzgwOg5ciNlTl8qDvm6abv+2EvQRrz1byiStQuXeV4km3aZ3wvP4 pGcQ==
X-Gm-Message-State: ALoCoQkEb0YvQu8cNbsJm+zLffYhtg2oWupVZRQvRb9G8AC73k59VRtzw0tzrJz/N/kA9q189LK6
X-Received: by 10.152.180.168 with SMTP id dp8mr33719444lac.11.1404919114068; Wed, 09 Jul 2014 08:18:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.152.108.130 with HTTP; Wed, 9 Jul 2014 08:18:13 -0700 (PDT)
In-Reply-To: <20140709125829.22319253.16811.16396@certicom.com>
References: <20140709125829.22319253.16811.16396@certicom.com>
From: Andy Lutomirski <luto@amacapital.net>
Date: Wed, 09 Jul 2014 08:18:13 -0700
Message-ID: <CALCETrVG9Ltf=9x64mOScorLCUPZNtr1XF6rkfpgzT2GDiwi+g@mail.gmail.com>
To: Dan Brown <dbrown@certicom.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/Hg5F0ZkY6lS8rbyOeRThbDEU6bI
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] TLS PRF security proof?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jul 2014 15:18:38 -0000
On Wed, Jul 9, 2014 at 5:58 AM, Dan Brown <dbrown@certicom.com> wrote: > TLS has been asking for CFRG input on curves, so maybe TLS is now more open to a suggestion like HKDF for future updates. > > Furthermore, the latest TLS 1.3 draft makes a point of lacking a security analysis: thus my question to this list. (Not to the TLS list, because of the research nature of the question. ) > > I'll ask the converse question: besides provable security, what advantage would HKDF have over TLS PRF? Eg, does HKDF fare better than TLS PRF under some disastrous HMAC failure? In other words, if proofs cover the sufficient conditions, what about the necessary conditions? Does the HKDF RFC answer all this already? I can't speak for the TLS WG, but from my own perspective, I have three problems with HDKF: 1. HKDF is parametrized by a hash. What hash should people use? (Hence my suggestion of using combiners -- changing the PRF in an existing protocol is a real PITA and might not even be possible without introducing security holes.) 2. The RFC didn't make the security properties clear to me. For example, protocols should stick nonces into the salt. Oh, wait, they shouldn't stick nonces into the salt without care. Can I use multiple "info" values to safely extract key material and publish it? 3. (Only relevant to hashes using MD construction) My understanding of HMAC is that it's secure against generic attacks on MD hashes if the key is secret and unpredictable. HKDF doesn't necessarily use a secret, unpredictable key for HMAC. Is HKDF-SHA-1 insecure as a result? What about HKDF-SHA-512 against an adversary with unlimited precomputation power? --Andy
- [Cfrg] TLS PRF security proof? Dan Brown
- Re: [Cfrg] TLS PRF security proof? Andy Lutomirski
- Re: [Cfrg] TLS PRF security proof? Igoe, Kevin M.
- Re: [Cfrg] TLS PRF security proof? Dan Harkins
- Re: [Cfrg] TLS PRF security proof? Peter Gutmann
- Re: [Cfrg] TLS PRF security proof? Paterson, Kenny
- Re: [Cfrg] TLS PRF security proof? Dan Brown
- Re: [Cfrg] TLS PRF security proof? Andy Lutomirski
- Re: [Cfrg] TLS PRF security proof? Dan Brown
- Re: [Cfrg] TLS PRF security proof? Paul Hoffman
- Re: [Cfrg] TLS PRF security proof? Andy Lutomirski
- Re: [Cfrg] TLS PRF security proof? Andy Lutomirski
- Re: [Cfrg] TLS PRF security proof? Watson Ladd
- Re: [Cfrg] TLS PRF security proof? Andy Lutomirski
- Re: [Cfrg] TLS PRF security proof? Watson Ladd
- Re: [Cfrg] TLS PRF security proof? Andy Lutomirski
- Re: [Cfrg] TLS PRF security proof? Jakob Breier
- Re: [Cfrg] TLS PRF security proof? Hugo Krawczyk
- Re: [Cfrg] TLS PRF security proof? Watson Ladd
- Re: [Cfrg] TLS PRF security proof? Hugo Krawczyk