[TLS] The TLS PRF
Eric Rescorla <ekr@networkresonance.com> Sat, 18 February 2006 21:40 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FAZoA-0003Wg-UM; Sat, 18 Feb 2006 16:40:02 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FAZo9-0003WW-M6 for tls@ietf.org; Sat, 18 Feb 2006 16:40:01 -0500
Received: from laser.networkresonance.com ([198.144.196.2]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FAZo9-0008D0-Cd for tls@ietf.org; Sat, 18 Feb 2006 16:40:01 -0500
Received: from networkresonance.com (raman.networkresonance.com [198.144.196.3]) by laser.networkresonance.com (Postfix) with ESMTP id 74DD722241D for <tls@ietf.org>; Sat, 18 Feb 2006 13:41:25 -0800 (PST)
To: tls@ietf.org
X-Mailer: MH-E 7.4.3; nmh 1.0.4; XEmacs 21.4 (patch 18)
Date: Sat, 18 Feb 2006 13:40:00 -0800
From: Eric Rescorla <ekr@networkresonance.com>
Message-Id: <20060218214125.74DD722241D@laser.networkresonance.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 50a516d93fd399dc60588708fd9a3002
Cc:
Subject: [TLS] The TLS PRF
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
People will recall that the current TLS PRF uses HMAC_MD5 and HMAC_SHA1
in tandem. In [BR05], Steve and I recommended that this be amended to
solely use HMAC_X where X is the hash algorithm defined as the hash
function negotiated for the cipher suite. This has three major
difficulties:
1. The TLS PRF is different from the one specified in NIST SP 800-56
S 5.8.1. The TLS PRF is approved only for parameter sets
FA and EA, which themselves are only approved up to 2010.
2. The TLS PRF depends on a hash function and so can't be used
with MAC algorithms that are not hash-based. So, for instance,
you couldn't use CCM or GCM mode. (Note that this is an issue
with the 800-56 KDF as well).
3. You can't use it with algorithm suites that define their own
KDF, such as GOST and potentially Suite B.
In some sense these are separable problems. I think clearly we need to
specify a standard TLS KDF (and note that we also use the PRF in
Finished), so that at least that KDF can be usable by all of the
ciphersuites we currently have. And the recommendation to use
the ciphersuite-negotiated hash function still seems sound.
So, that leaves us with three questions:
1. Should the Hash-based PRF be based on the current PRF or NIST
800-56?
2. Should we define a standard non-Hash-based PRF? Where would
we get it from? If not, what PRF should be used with GCM/CCM/etc.?
3. Should we allow the negotiation of ciphersuite-specific PRFs?
Can we get some discussion this issue please?
-Ekr
_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls
- [TLS] The TLS PRF Eric Rescorla
- Re: [TLS] The TLS PRF Peter Gutmann
- Re: [TLS] The TLS PRF Eric Rescorla
- Re: [TLS] The TLS PRF Peter Gutmann
- Re: [TLS] The TLS PRF Eric Rescorla
- Re: [TLS] The TLS PRF Dmitry Belyavsky
- Re: [TLS] The TLS PRF Tim Dierks
- Re: [TLS] The TLS PRF Peter Gutmann
- Re: [TLS] The TLS PRF Eric Rescorla
- Re: [TLS] The TLS PRF Eric Rescorla
- Re: [TLS] The TLS PRF Tim Dierks
- Re: [TLS] The TLS PRF Steven M. Bellovin
- Re: [TLS] The TLS PRF Peter Gutmann
- Re: [TLS] The TLS PRF Russ Housley