[TLS] The TLS PRF
Eric Rescorla <ekr@networkresonance.com> Sat, 18 February 2006 21:40 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FAZoA-0003Wg-UM; Sat, 18 Feb 2006 16:40:02 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FAZo9-0003WW-M6 for tls@ietf.org; Sat, 18 Feb 2006 16:40:01 -0500
Received: from laser.networkresonance.com ([198.144.196.2]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FAZo9-0008D0-Cd for tls@ietf.org; Sat, 18 Feb 2006 16:40:01 -0500
Received: from networkresonance.com (raman.networkresonance.com [198.144.196.3]) by laser.networkresonance.com (Postfix) with ESMTP id 74DD722241D for <tls@ietf.org>; Sat, 18 Feb 2006 13:41:25 -0800 (PST)
To: tls@ietf.org
X-Mailer: MH-E 7.4.3; nmh 1.0.4; XEmacs 21.4 (patch 18)
Date: Sat, 18 Feb 2006 13:40:00 -0800
From: Eric Rescorla <ekr@networkresonance.com>
Message-Id: <20060218214125.74DD722241D@laser.networkresonance.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 50a516d93fd399dc60588708fd9a3002
Cc:
Subject: [TLS] The TLS PRF
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
People will recall that the current TLS PRF uses HMAC_MD5 and HMAC_SHA1 in tandem. In [BR05], Steve and I recommended that this be amended to solely use HMAC_X where X is the hash algorithm defined as the hash function negotiated for the cipher suite. This has three major difficulties: 1. The TLS PRF is different from the one specified in NIST SP 800-56 S 5.8.1. The TLS PRF is approved only for parameter sets FA and EA, which themselves are only approved up to 2010. 2. The TLS PRF depends on a hash function and so can't be used with MAC algorithms that are not hash-based. So, for instance, you couldn't use CCM or GCM mode. (Note that this is an issue with the 800-56 KDF as well). 3. You can't use it with algorithm suites that define their own KDF, such as GOST and potentially Suite B. In some sense these are separable problems. I think clearly we need to specify a standard TLS KDF (and note that we also use the PRF in Finished), so that at least that KDF can be usable by all of the ciphersuites we currently have. And the recommendation to use the ciphersuite-negotiated hash function still seems sound. So, that leaves us with three questions: 1. Should the Hash-based PRF be based on the current PRF or NIST 800-56? 2. Should we define a standard non-Hash-based PRF? Where would we get it from? If not, what PRF should be used with GCM/CCM/etc.? 3. Should we allow the negotiation of ciphersuite-specific PRFs? Can we get some discussion this issue please? -Ekr _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] The TLS PRF Eric Rescorla
- Re: [TLS] The TLS PRF Peter Gutmann
- Re: [TLS] The TLS PRF Eric Rescorla
- Re: [TLS] The TLS PRF Peter Gutmann
- Re: [TLS] The TLS PRF Eric Rescorla
- Re: [TLS] The TLS PRF Dmitry Belyavsky
- Re: [TLS] The TLS PRF Tim Dierks
- Re: [TLS] The TLS PRF Peter Gutmann
- Re: [TLS] The TLS PRF Eric Rescorla
- Re: [TLS] The TLS PRF Eric Rescorla
- Re: [TLS] The TLS PRF Tim Dierks
- Re: [TLS] The TLS PRF Steven M. Bellovin
- Re: [TLS] The TLS PRF Peter Gutmann
- Re: [TLS] The TLS PRF Russ Housley