Re: [TLS] confirming the room’s consensus: adopt HKDF PRF for TLS 1.3
Nikos Mavrogiannopoulos <nmav@redhat.com> Fri, 03 April 2015 06:49 UTC
Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18ABB1A9122 for <tls@ietfa.amsl.com>; Thu, 2 Apr 2015 23:49:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.611
X-Spam-Level:
X-Spam-Status: No, score=-6.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fDoLBvMV8U_g for <tls@ietfa.amsl.com>; Thu, 2 Apr 2015 23:49:33 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50BCA1A9120 for <tls@ietf.org>; Thu, 2 Apr 2015 23:49:33 -0700 (PDT)
Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t336nRoL009038 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 3 Apr 2015 02:49:27 -0400
Received: from dhcp-2-127.brq.redhat.com (dhcp-2-127.brq.redhat.com [10.34.2.127]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t336nPpZ007488 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Fri, 3 Apr 2015 02:49:27 -0400
Message-ID: <1428043764.3853.14.camel@redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: Sean Turner <turners@ieca.com>
Date: Fri, 03 Apr 2015 08:49:24 +0200
In-Reply-To: <E2BBD850-7DF7-4DBF-A2D3-0391EBFB5BA8@ieca.com>
References: <4A5C6D8F-6A28-4374-AF1F-3B202738FB1D@ieca.com> <1082369316.6361228.1427914387267.JavaMail.zimbra@redhat.com> <E2BBD850-7DF7-4DBF-A2D3-0391EBFB5BA8@ieca.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/291S4f6iBN8DLGD0I_N3gXh7kHM>
Cc: tls <tls@ietf.org>
Subject: Re: [TLS] confirming the room’s consensus: adopt HKDF PRF for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2015 06:49:35 -0000
On Wed, 2015-04-01 at 17:21 -0400, Sean Turner wrote: > > ----- Original Message ----- > >> This message is to confirm the consensus reached @ the IETF 92 TLS session in > >> Dallas and at the TLS Interim in Seattle to make the TLS 1.3 PRF be an > >> HKDF-based PRF (see > >> http://datatracker.ietf.org/doc/rfc5869/?include_text=1) > >> Please indicate whether or not you agree with the consensus by 2015-04-17. > >> If not, please indicate why. Also, please note that we’re interested in > >> uncovering new issues not rehashing issues already discussed. > > > > I believe the question is totally unwarranteed. No-one has presented any argument > > on why the TLS PRF is not sufficient for its purpose. The only arguments presented > > are theoretical advantages of HKDF, which are fine, but do they add value to TLS? > > Does the advantages of HKDF translate into weaknesses of the TLS PRF? > > Both ekr and I queued the whole discussion up with there’s "nothing really wrong" with the PRF as far as we know. The discussion in Dallas starts about 2:31:15 on audio stream - listen for a muffled ekr saying "oh god": > http://www.ietf.org/audio/ietf92/ietf92-oak-20150326-0900-am1.mp3 > > At about 2:34:47 of the audio stream, Hugo discuses some of the “sub-optimal” aspects of the current PRF. Ok, if I can summarize the argument presented against the current PRF is the fact that it works well when the input (pre_master_secret) is uniform but not otherwise. So in the words of the speaker it works well for the RSA ciphersuites because the premaster secret is simply a random nonce, but not in the other ciphersuites. My words now. The other ciphersuites are Diffie-Hellman and Elliptic curve Diffie-Hellman. In these cases the pre-master-secret is the negotiated key. I've seem several cryptographic proofs assuming that the negotiated key in DH and ECDH is uniform, but indeed that may not be correct, and let's accept the speaker's argument. So we have a problem in the TLS handshake, and we have decided in an afternoon to replace the PRF with what the speaker suggested which is HKDF. That also happens to be the speaker's invention. That's pretty much expected of course. Shouldn't, however, the WG investigate whether there are better alternatives to fix the problem? Shouldn't other cryptographers asked to say their opinion on the fix and the issue? That's what the WG did with Salsa20 proposal, asked the CFRG. Maybe there are even more issues in the current PRF we don't know. In any case, HKDF is not bad choice, it is a good choice and already used in IKEv2. However, I am not an expert in PRFs, but I still see many design similarities in HKDF and the TLS PRF. So I wonder whether there are better from these two choices which we will never know if we only listen to one opinion. > > So no matter the output of that poll the result will be an uneducated guess. In all cases > > it is alarming to see the easiness with which the protocol is being rewritten completely. > > Now its only similarity with TLS 1.2 is the TLS acronym. Would that rewrite bring value > > in par with the efford needed for the rewrite? Would it make us safer in 2030 or are we > > simply apply yesterday's technology today? > I guess I don’t follow - the PRF changed in previous versions and we kept the “TLS” moniker. That's not the comment I make. My main concern is "Would that rewrite bring value in par with the efford needed for the rewrite?". In that particular case with HKDF; is HKDF the best choice we can do now to keep us with a good PRF until 2030? regards, Nikos
- [TLS] confirming the room’s consensus: adopt HKDF… Sean Turner
- Re: [TLS] confirming the room’s consensus: adopt … Daniel Kahn Gillmor
- Re: [TLS] confirming the room’s consensus: adopt … Nikos Mavrogiannopoulos
- Re: [TLS] confirming the rooms consensus: adopt … Dan Harkins
- Re: [TLS] confirming the room’s consensus: adopt … Russ Housley
- Re: [TLS] confirming the room’s consensus: adopt … Brian Smith
- Re: [TLS] confirming the room’s consensus: adopt … Ilari Liusvaara
- Re: [TLS] confirming the room’s consensus: adopt … Sean Turner
- Re: [TLS] confirming the room’s consensus: adopt … Sean Turner
- Re: [TLS] confirming the room’s consensus: adopt … Yoav Nir
- [TLS] confirming the room’s consensus: adopt HKDF… Peter Gutmann
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Sean Turner
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Nikos Mavrogiannopoulos
- Re: [TLS] confirming the room’s consensus: adopt … Ilari Liusvaara
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Watson Ladd
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Hugo Krawczyk
- Re: [TLS] confirming the room’s consensus: adopt … Ilari Liusvaara
- Re: [TLS] confirming the room’s consensus: adopt … Andrey Jivsov
- Re: [TLS] confirming the room’s consensus: adopt … Ilari Liusvaara
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Hugo Krawczyk
- Re: [TLS] confirming the room’s consensus: adopt … Hugo Krawczyk
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Watson Ladd
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Peter Gutmann
- Re: [TLS] confirming the room’s consensus: adopt … Salz, Rich
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Hugo Krawczyk
- Re: [TLS] confirming the room’s consensus: adopt … Ilari Liusvaara
- Re: [TLS] confirming the room’s consensus: adopt … Sean Turner
- Re: [TLS] confirming the room’s consensus: adopt … Eric Rescorla