[Cfrg] NIST crypto group and HKDF (and therefore TLS 1.3)

"Salz, Rich" <rsalz@akamai.com> Fri, 08 May 2020 20:21 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 448CB3A0CE5; Fri, 8 May 2020 13:21:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id plS9PkVscll3; Fri, 8 May 2020 13:21:22 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BAF23A0EAC; Fri, 8 May 2020 13:21:22 -0700 (PDT)
Received: from pps.filterd (m0050096.ppops.net [127.0.0.1]) by m0050096.ppops.net-00190b01. (8.16.0.42/8.16.0.42) with SMTP id 048KKOWE006478; Fri, 8 May 2020 21:21:21 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=bqsK+pf1/gsIdIQ4o2GEhV8BRZdy1koo+ofi/K07054=; b=AQme7DYZ0dv2ndx30BxNmxGDtyd8dMpqaipJ/JIVuDsp5iJy6lwptFguFfoQsWHScu0W lZMHFbjgeT1NtPhNX45cYOdBbhhbot1NIiP6MeEc7kQZsw4ugVX2XvnMYHvDnYclw/N3 8TMowadviWqBsQLtFGlTNUpHu9ysLnVZPk+kvMBE9G/JLUiteKtapdFdAkOSrJlWaBsq fI3BMgWEI/II6u6QpRnz6VRM8gyoH/AleB4Pr+Nrwweuki+k3fWLo3/1mO+eR70PlIu5 DgwA0XUQVEp7eYr/H/yeaqHMhpKqI6y1r3TCLDFw71b7GkSREsxb0Z7BGUjl9Jy2InyK OQ==
Received: from prod-mail-ppoint3 (a72-247-45-31.deploy.static.akamaitechnologies.com [72.247.45.31] (may be forged)) by m0050096.ppops.net-00190b01. with ESMTP id 30vtcjuv3m-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 08 May 2020 21:21:21 +0100
Received: from pps.filterd (prod-mail-ppoint3.akamai.com [127.0.0.1]) by prod-mail-ppoint3.akamai.com (8.16.0.27/8.16.0.27) with SMTP id 048KHe4b023849; Fri, 8 May 2020 16:21:20 -0400
Received: from email.msg.corp.akamai.com ([172.27.165.112]) by prod-mail-ppoint3.akamai.com with ESMTP id 30wdntra9c-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 08 May 2020 16:21:20 -0400
Received: from USTX2EX-DAG1MB3.msg.corp.akamai.com (172.27.165.121) by ustx2ex-dag1mb1.msg.corp.akamai.com (172.27.165.119) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 8 May 2020 15:21:20 -0500
Received: from USTX2EX-DAG1MB3.msg.corp.akamai.com ([172.27.165.121]) by ustx2ex-dag1mb3.msg.corp.akamai.com ([172.27.165.121]) with mapi id 15.00.1497.006; Fri, 8 May 2020 15:21:20 -0500
From: "Salz, Rich" <rsalz@akamai.com>
To: "tls@ietf.org" <tls@ietf.org>, "cfrg@ietf.org" <cfrg@ietf.org>
Thread-Topic: NIST crypto group and HKDF (and therefore TLS 1.3)
Thread-Index: AQHWJXY75SUMYNJzo0q8VSbsRy8U7Q==
Date: Fri, 8 May 2020 20:21:19 +0000
Message-ID: <07D37E65-0951-49BB-B86E-BD3167ADB352@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.37.20050303
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.35.128]
Content-Type: text/plain; charset="utf-8"
Content-ID: <B1F668FC7354B14AAC25A775760D4861@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-08_18:2020-05-08, 2020-05-08 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2002250000 definitions=main-2005080171
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-08_18:2020-05-08, 2020-05-08 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 malwarescore=0 impostorscore=0 suspectscore=0 mlxlogscore=999 spamscore=0 lowpriorityscore=0 clxscore=1015 phishscore=0 priorityscore=1501 adultscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2005080171
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/hL3fNIbPAYTswBIo-e0jVel-DCo>
Subject: [Cfrg] NIST crypto group and HKDF (and therefore TLS 1.3)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 May 2020 20:21:26 -0000

If you don’t care about FIPS-140, just delete this message, and avoid the temptation to argue how bad it is.

NIST SP 800-56C (Recommendation for Key-Derivation Methods in Key-Establishment Schemes) is currently a draft in review. The document is at https://csrc.nist.gov/publications/detail/sp/800-56c/rev-2/draft  Email comments can be sent to 800-56C_Comments@nist.gov with a deadline of May 15.  That is not a lot of time.  The NIST crypto group is currently unlikely to include HKDF, which means that TLS 1.3 would not be part of FIPS. The CMVP folks at NIST understand this, and agree that this would be bad; they are looking at adding it, perhaps via an Implementation Guidance update.

If you have a view of HKDF (and perhaps TLS 1.3), I strongly encourage you to comment at the above address.  Please do not comment here. I know that many members of industry and academia have been involved with TLS 1.3, and performed security analysis of it. If you are one of those people, *please* send email and ask the NIST Crypto Team to reconsider.

Thank you.
	/r$