IETF Logo Mail Archive

Re: [Cfrg] TLS PRF security proof?

Dan Brown <dbrown@certicom.com> Wed, 09 July 2014 12:58 UTC

Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E81381A0546 for <cfrg@ietfa.amsl.com>; Wed, 9 Jul 2014 05:58:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9pgAU1bMN3sV for <cfrg@ietfa.amsl.com>; Wed, 9 Jul 2014 05:58:35 -0700 (PDT)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) by ietfa.amsl.com (Postfix) with ESMTP id 06AD01A053B for <cfrg@irtf.org>; Wed, 9 Jul 2014 05:58:34 -0700 (PDT)
Received: from xct102cnc.rim.net ([10.65.161.202]) by mhs210cnc.rim.net with ESMTP/TLS/AES128-SHA; 09 Jul 2014 08:58:31 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT102CNC.rim.net ([fe80::2066:5d4f:8c45:af55%17]) with mapi id 14.03.0174.001; Wed, 9 Jul 2014 08:58:30 -0400
From: Dan Brown <dbrown@certicom.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] TLS PRF security proof?
Thread-Index: Ac+bdXsmyneQDJEcQp6NTm7HFwn/Fg==
Date: Wed, 09 Jul 2014 12:58:30 +0000
Message-ID: <20140709125829.22319253.16811.16396@certicom.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="===============0929097832=="
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/caB0TejQr8B1cQbgU69RI8iEpjE
Subject: Re: [Cfrg] TLS PRF security proof?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jul 2014 12:58:37 -0000

‎TLS has been asking for CFRG input on curves, so maybe TLS is now more open to a suggestion like HKDF for future updates.

Furthermore, the latest TLS 1.3 draft makes a point of lacking a security analysis: thus my question to this list. (Not to the TLS list, because of the research nature of the question. )

I'll ask the converse question: besides provable security, what advantage would HKDF have over TLS PRF? Eg, does HKDF fare better than TLS PRF under some disastrous HMAC failure? In other words, if proofs cover the sufficient conditions, what about the necessary conditions? Does the HKDF RFC answer all this already?

Best regards, 

-- Dan
‎
  Original Message  
From: Peter Gutmann
Sent: Wednesday, July 9, 2014 1:58 AM
To: cfrg@irtf.org
Subject: Re: [Cfrg] TLS PRF security proof?

Dan Brown <dbrown@certicom.com> writes:

>Would it be useful if CFRG were to publish a recommended PRF?

Already done, just use HKDF, RFC 5869. The problem isn't publishing it, it's
getting it adopted, so far each and every standards group has seen fit to
invent their own incompatible PRF/KDF, and I'm not sure what size gun you'd
need to hold to everyone's head to get them to agree to standardise on HKDF
(or anything els for that matter).

Peter.

_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email