IETF Logo Mail Archive

[MLS] DeriveKeyPair IKM size

Simon Ser <contact@emersion.fr> Wed, 13 March 2024 23:18 UTC

Return-Path: <contact@emersion.fr>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0C9EC14F61F for <mls@ietfa.amsl.com>; Wed, 13 Mar 2024 16:18:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=emersion.fr
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4gbS4rSco8hZ for <mls@ietfa.amsl.com>; Wed, 13 Mar 2024 16:18:10 -0700 (PDT)
Received: from mail-4317.proton.ch (mail-4317.proton.ch [185.70.43.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA486C14E513 for <mls@ietf.org>; Wed, 13 Mar 2024 16:18:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=emersion.fr; s=protonmail3; t=1710371887; x=1710631087; bh=PlgXlPJ3XmGw7eeaXZL3DPYg2lqOH1QUswdF6WSaup4=; h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=QFHYQ729hbthyMxhyHJYUYoQlNNrfqrqpqLhoigmlR+v7AaZwqC/AJcbwjqfc53f/ SY2sJpOOdG1XASN5Iw+v9jilcQ+IZsKEEnsSDjdoft9liY7dBsx+BKBzEKIc8rbGlm hkpkmGS7fwcQcVu+ozwZwbkvP1VlubN2B5LsOUkaGCsi7qdxPXougtM1qdWsIHMrt+ Rtc299egOPqOkcliCwF9R7hDH3yHDZzmXi02F7F/J0zRJSAZUtMQpLCr0Sp9stIvkl tTQM4E/VHgvUO+izb+ny4NdqS1hkH9Za13xVedCwfjWsGWo9eGVZfh41Z+/ncU6Qyc AMxw7JJF4gkTw==
Date: Wed, 13 Mar 2024 23:17:55 +0000
To: "mls@ietf.org" <mls@ietf.org>
From: Simon Ser <contact@emersion.fr>
Message-ID: <kE3ovynJvl22pnmihJkm7J67dybmL4xQHYxBu1vvwabY_U3X2TBJO5V3agUDnNF2aYl7z4aBupEdLteupSa7vjvXNMIdyY-GN2czK6NeDi0=@emersion.fr>
Feedback-ID: 1358184:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/JdrJvjGnVjNHX1xE4kTcsmq_PRc>
Subject: [MLS] DeriveKeyPair IKM size
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2024 23:18:15 -0000

Hi,

In [1] I reported that some MLS cipher suites will pass an IKM to DeriveKeyPair
which doesn't match the recommendations of HPKE. The HPKE RFC says:

> For a given KEM, the ikm parameter given to DeriveKeyPair() SHOULD have length
> at least Nsk, and SHOULD have at least Nsk bytes of entropy.

But MLS cipher suite 0x05 will pass an IKM with size 64, while Nsk = 66.

Is this intentional?

Simon

[1]: https://github.com/cloudflare/circl/issues/486#issuecomment-1996056891

v2.23.0 | Report a Bug | By Email