IETF Logo Mail Archive

Re: [Cfrg] TLS PRF security proof?

Andy Lutomirski <luto@amacapital.net> Wed, 09 July 2014 17:51 UTC

Return-Path: <luto@amacapital.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E1401B2791 for <cfrg@ietfa.amsl.com>; Wed, 9 Jul 2014 10:51:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9yDvpnnVOce1 for <cfrg@ietfa.amsl.com>; Wed, 9 Jul 2014 10:51:01 -0700 (PDT)
Received: from mail-la0-f45.google.com (mail-la0-f45.google.com [209.85.215.45]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9C1E1A03E4 for <cfrg@irtf.org>; Wed, 9 Jul 2014 10:51:00 -0700 (PDT)
Received: by mail-la0-f45.google.com with SMTP id hr17so5314363lab.18 for <cfrg@irtf.org>; Wed, 09 Jul 2014 10:50:58 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=0WDY0jEQdDea51rmXRMpF0NWTG6Ur1IAITArG7cwG8I=; b=OGsRfdfXWsnF+xpPRieSm/ubkH7AQqXcbH93zAE2BYmerQ6iX12/RuJTHoZBNw/TNH H8Y6Qct+HXIP6jIEp8EZouXCxWCZ3wRJPWRZXK0mbkawTuG32UcOeJkqd1YzqlO/zeRo 52g/sQgvrsmLLcQtX48G4Sij9WfUESADQiDT8nwY1l2mjb1dVL/Mv0TjowVn/dgKFx7i 8Z8NsAhB9/rKktoKfFd/bNqYDbXgw/V5DrmThC35rhkZEEA3prlu59aX6QEFG5BASQ4x WS9bqTu0TNA3NGq4ead7EmtOaZhY1UuKSLFrkIeKjh5khGbRQh+F/Su6yrGXxTk8MJRL +ztA==
X-Gm-Message-State: ALoCoQkrA/q5ROXNOryWIGYLuacSBbgfvEPeKpLhUSGLFm08d3KmhZz1a2YRjP6R/HB++VEY41v0
X-Received: by 10.112.41.72 with SMTP id d8mr2943464lbl.63.1404928258428; Wed, 09 Jul 2014 10:50:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.152.108.130 with HTTP; Wed, 9 Jul 2014 10:50:37 -0700 (PDT)
In-Reply-To: <CALCETrXMZZVbF3tzZm0PfuKQ0h8mUoj7XcWgcJMNMgTuEp1+dg@mail.gmail.com>
References: <20140709125829.22319253.16811.16396@certicom.com> <CALCETrVG9Ltf=9x64mOScorLCUPZNtr1XF6rkfpgzT2GDiwi+g@mail.gmail.com> <6A60ED12-70B4-4CBF-B31E-3D5DDA7DC7EA@vpnc.org> <CALCETrXMZZVbF3tzZm0PfuKQ0h8mUoj7XcWgcJMNMgTuEp1+dg@mail.gmail.com>
From: Andy Lutomirski <luto@amacapital.net>
Date: Wed, 09 Jul 2014 10:50:37 -0700
Message-ID: <CALCETrW7JUbJTJAY3UWf6EpXWc5ij+xy3fzWXE8+-xtpsLG7CQ@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/qMV93SfsmWo1-mocuvtKNxvu-uw
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] TLS PRF security proof?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jul 2014 17:51:02 -0000

On Wed, Jul 9, 2014 at 8:33 AM, Andy Lutomirski <luto@amacapital.net> wrote:
> On Wed, Jul 9, 2014 at 8:28 AM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
>>
>>> 2. The RFC didn't make the security properties clear to me.  For
>>> example, protocols should stick nonces into the salt.  Oh, wait, they
>>> shouldn't stick nonces into the salt without care.
>>
>> Can you justify that second sentence with anything from RFC 5869? In fact, it says the opposite:
>>
>>    Ideally, the salt value is a random (or pseudorandom) string of the
>>    length HashLen.  Yet, even a salt value of less quality (shorter in
>>    size or with limited entropy) may still make a significant
>>    contribution to the security of the output keying material; designers
>>    of applications are therefore encouraged to provide salt values to
>>    HKDF if such values can be obtained by the application.
>
> Quoting from RFC 5869, section 3.4:
>
>    Independence is also an important aspect of the salt value provided
>    to a KDF.  While there is no need to keep the salt secret, and the
>    same salt value can be used with multiple IKM values, it is assumed
>    that salt values are independent of the input keying material.  In
>    particular, an application needs to make sure that salt values are
>    not chosen or manipulated by an attacker.  As an example, consider
>    the case (as in IKE) where the salt is derived from nonces supplied
>    by the parties in a key exchange protocol.  Before the protocol can
>    use such salt to derive keys, it needs to make sure that these nonces
>    are authenticated as coming from the legitimate parties rather than
>    selected by the attacker (in IKE, for example this authentication is
>    an integral part of the authenticated Diffie-Hellman exchange).
>

I should note that this text in 3.4 smells funny to me even taken
alone.  Making sure that the nonces come from legitimate parties does
*not* imply that they are independent of the IKM in any sense of the
word "independent" that I understand.

I, and presumably protocol designers everywhere, would much prefer
language that tells me "this primitive provides this security
guarantee if this condition is met" where the condition is clearly
specified.

This is not to say that HKDF is not a perfectly good KDF, but I find
the RFC 5869 language unconvincing.

--Andy

v2.23.0 | Report a Bug | By Email