Re: [TLS] Issue 555: Generate IVs in one HKDF invocation?

David Benjamin <davidben@chromium.org> Wed, 17 August 2016 22:52 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB09F12B016 for <tls@ietfa.amsl.com>; Wed, 17 Aug 2016 15:52:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.946
X-Spam-Level:
X-Spam-Status: No, score=-3.946 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.247, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DU8QbxfW9XZj for <tls@ietfa.amsl.com>; Wed, 17 Aug 2016 15:52:55 -0700 (PDT)
Received: from mail-io0-x231.google.com (mail-io0-x231.google.com [IPv6:2607:f8b0:4001:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99CF912D0AC for <tls@ietf.org>; Wed, 17 Aug 2016 15:52:55 -0700 (PDT)
Received: by mail-io0-x231.google.com with SMTP id b62so4868478iod.3 for <tls@ietf.org>; Wed, 17 Aug 2016 15:52:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=ZsbPyLqj7SAx+fvvgPr3+S8yGKP8tl5ldNyYoZBCd0c=; b=YKrDf3aou+9Ygju1pB8cGPAQsCdn/6cxji5IC1s+9PLGEboJtlPRI1OnXJJ38sRpYG YS/lLqxT87szeQn/bLUlD9kKrqmbl5TivLZ1KeFfGvmkC8O6sXuYC7qLehZtkH8ylzuS DqF7YP7Nzgr99ZnKQkZwqGL/He8w2iuMnXHvI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=ZsbPyLqj7SAx+fvvgPr3+S8yGKP8tl5ldNyYoZBCd0c=; b=Z7D1euxv4xtljoOfjAkYitTEdu+u2bxugomG0vS42bFzKXF6JKiBjBPsyFnGqPBURN aISFUJXJDx+M2Vg2IuxRj84DUBdOTlghGvi5btPhd8CagQHhKuY3JPJ87HFobCfOctVo /TKhcFQMKWH3SlqWyMdIuG4loDuedZwfez5CgvpF8ewyyyRpEwERNuy3HTjaN97c363J MP5OzUI35afBqx+jjFuBzgq/8eqBOPD97/sguRXBYRz2DVWvi4PVly8LAjHZXe0hyPaI kG9k7k5ivbQatr+kMiDHwYzILgyPdyOV8tyf1T9D1ljFmOBnu+UHOfIJERwpt5Gx6pIE IDEw==
X-Gm-Message-State: AEkoousnb3mYasM4fBpP7lKwxsPoT9YlWRatmZbuuFe9iKtGydf9jiHC2lJGCqY9TRzoDzTlssdin7wyDoETfAO+
X-Received: by 10.107.3.70 with SMTP id 67mr54819850iod.97.1471474374813; Wed, 17 Aug 2016 15:52:54 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBMCoEhsDTTioQVCRP=qYLnijS+8wtGFLw1kyYy+fkfyhQ@mail.gmail.com>
In-Reply-To: <CABcZeBMCoEhsDTTioQVCRP=qYLnijS+8wtGFLw1kyYy+fkfyhQ@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Wed, 17 Aug 2016 22:52:43 +0000
Message-ID: <CAF8qwaA4sHx0Fm=+wZrfjRtAtjBgSCAbaJZJkCt8GKEx96B=0g@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary=001a113fb72a689ed3053a4c53bb
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/18fFucpM1NilYx2pvRMRa4gkJMM>
Subject: Re: [TLS] Issue 555: Generate IVs in one HKDF invocation?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2016 22:52:57 -0000

In general one has to generate the directional traffic keys independently
due to read/write epochs changing at different times, so I'd prefer it left
as is. (In BoringSSL, we also generate the directional keys independently.
I'd often wished that TLS 1.2 was the same.)

The switch from handshake to traffic_secret_0 happens at different points
because the key change happens immediately after Finished on both sides
(this is important otherwise a server alert on bad client certificate is
unreadable). From traffic_secret_N to traffic_secret_N+1 is similarly
asymmetric because of KeyUpdate skew.

Not that it's a huge deal either way.

David

On Wed, Aug 17, 2016 at 6:10 PM Eric Rescorla <ekr@rtfm.com> wrote:

> Issue:
>   https://github.com/tlswg/tls13-spec/issues/555
>
> ADL suggested that we could slightly reduce the number of HKDF
> computations by generating the IVs as a single block rather than
> with individual HKDF-Expands. You can't generally do this kind
> of slice-and-dice and preserve the key boundary, but IVs are
> public anyway.
>
> At least for NSS, this makes things slightly more complicated
> because we generate the directional traffic keys independently,
> but it's also not a big deal to change if people want.
>
> Comments in favor or against?
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>