IETF Logo Mail Archive

Re: [TLS] PR#875: Additional Derive-Secret Stage

Hugo Krawczyk <hugo@ee.technion.ac.il> Wed, 22 February 2017 20:04 UTC

Return-Path: <hugokraw@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDC7E129ACE for <tls@ietfa.amsl.com>; Wed, 22 Feb 2017 12:04:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cw1bZIzbojCM for <tls@ietfa.amsl.com>; Wed, 22 Feb 2017 12:04:13 -0800 (PST)
Received: from mail-yb0-x22e.google.com (mail-yb0-x22e.google.com [IPv6:2607:f8b0:4002:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71BDF129AC7 for <tls@ietf.org>; Wed, 22 Feb 2017 12:04:13 -0800 (PST)
Received: by mail-yb0-x22e.google.com with SMTP id u130so3704110ybb.0 for <tls@ietf.org>; Wed, 22 Feb 2017 12:04:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=4ytmoBKE6Wq4/TzyAgwsigaOVJHGPVYMADbE+0EQ4oA=; b=fINBlhaymWvAj3bH+eZ65+F4cPTVg4x8swI5ZFyiaLNztWfMnzmI9Vd6QRJ+TjRWli 4hQVUeTEw3bsmPfO5wD2CJ5GhpME1Xa4ADvbn6pdRxB3LlimfB5Mj+jdzqvUnFUNPYNf sb+8VEb9rhlqE9pKjAIpGLMKzZTnRvs8IOISWANHwTTstcGdJm3vj0mG2m7tLyY8aTsq Rq5GvHpznTfuxpg49xitzTa90j/pUF9qyUspYM5O3L5db24vhv9ZFhoVOPk9QDkYcPOg eFLp1IOPQLW61/t8WfNh9Pj8FyJeWYhYzvMXB11X8HGmr+i1DEHsQF6gCa8V2t8Y/IRL oR0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=4ytmoBKE6Wq4/TzyAgwsigaOVJHGPVYMADbE+0EQ4oA=; b=Q4qm5NGMAaY6BtOcr+aylbCSs7Xj2sXgHrRe/GFqMn2vcqjxFqhBDn54ya8BI0izem miXRsKVnYsjQvOoGWoYGW25EWc/BpFGXHoJaTpYVcPGUJRyqcvkE7fHbPz1wOQRaU7s+ dQKgVd/TF9wHZ2IeLtZAUeWAxJMivCQvjbuvj9UphmMJLKtqm9DyFVAo6g3TTUunIAcW S773tigtrAv6n1qjRGEBdTADyNxnsuTUPMHrO6faVhPtznQ7ETyGcQNUsQb2SobNu8K/ 5iTBn5iwaGRWRYqo2pr8FiwxLYocsYTDKq0REA5a251xDhyeIoCAG3JZX/b5XPSchQH4 jDxw==
X-Gm-Message-State: AMke39l+hx/G5mNmg2pnIL7pxZz58+DOMQ98FdVzc1fhMV3+1x+imG+tqfUXPzI25G/UpKa44s7e1cIZIFgrRg==
X-Received: by 10.37.41.70 with SMTP id p67mr18945252ybp.147.1487793852566; Wed, 22 Feb 2017 12:04:12 -0800 (PST)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.37.49.9 with HTTP; Wed, 22 Feb 2017 12:03:41 -0800 (PST)
In-Reply-To: <CABcZeBNLWG5ORRJ0cAVpG7H9w6q7kXS_O9PFQSeNOheLG+nyMA@mail.gmail.com>
References: <CABcZeBNLWG5ORRJ0cAVpG7H9w6q7kXS_O9PFQSeNOheLG+nyMA@mail.gmail.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Wed, 22 Feb 2017 15:03:41 -0500
X-Google-Sender-Auth: XiKFU8lFbmgUebnO7rcjgov3bpA
Message-ID: <CADi0yUPxobTgOB4M5m1ySbGvB3K8t8b_MroNR9nAUfjxHFm0SA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary="94eb2c14e0b614d85f05492400df"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/0k6b4eDwDrldIlifhACtnMRf7yQ>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] PR#875: Additional Derive-Secret Stage
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Feb 2017 20:04:15 -0000

On Thu, Feb 9, 2017 at 4:15 PM, Eric Rescorla <ekr@rtfm.com> wrote:

> I've just posted a pull request which slightly adjusts the structure of
> key derivation.
> PR#875 adds another Derive-Secret stage to the left side of the key ladder
> between each pair of HKDF-Extracts. There are two reasons for this:
>
> - Address a potential issue raised by Trevor Perrin where an attacker
>   somehow forces the IKM value to match the label value for Derive-Secret,
>   in which case the output of HKDF-Extract would match the derived secret.
>   This doesn't seem like it should be possible for any of the DH variants
>   we are using, and it's not clear that it would lead to any concrete
>   attack, but in the interest of cleanliness, it seemed good to address.
>
> - Restore Extract/Expand parity which gives us some flexibility in
>   case we want to replace HKDF.
>

​I want to stress, also as advise for future uses of HKDF, that a
recommended practice for HKDF is to always follow HKDF-extract with
HKDF-expand. That's how HKDF is defined and departing from it should be
done with utmost care. The issue raised by Trevor is an example of such
subtleties. In particular, note that HKDF-Extract does not carry a "info"
input while HKDF-Expand does, and such field is almost always essential for
key separation and to tie derived keys to some particular context.

Hugo


> I don't expect this change to be controversial and I'll merge it on Monday
> unless I hear objections.
>
> Thanks,
> -Ekr
>
>
>
>
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>

v2.23.0 | Report a Bug | By Email