Re: [TLS] New Key derivations for TLS1.3

"Paul Bakker" <p.j.bakker@offspark.com> Wed, 25 September 2013 09:08 UTC

Return-Path: <p.j.bakker@offspark.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9C2C21E8055 for <tls@ietfa.amsl.com>; Wed, 25 Sep 2013 02:08:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.504
X-Spam-Level:
X-Spam-Status: No, score=-0.504 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DurU9Yx8RzNs for <tls@ietfa.amsl.com>; Wed, 25 Sep 2013 02:08:33 -0700 (PDT)
Received: from vps2.brainspark.nl (vps2.brainspark.nl [141.138.204.106]) by ietfa.amsl.com (Postfix) with ESMTP id 9F9B221F9E12 for <tls@ietf.org>; Wed, 25 Sep 2013 02:08:32 -0700 (PDT)
Received: from [188.200.77.25] (helo=Slimpy) by vps2.brainspark.nl with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <p.j.bakker@offspark.com>) id 1VOkz5-0000PL-Ob; Wed, 25 Sep 2013 11:02:12 +0200
From: "Paul Bakker" <p.j.bakker@offspark.com>
To: "'Michael StJohns'" <msj@nthpermutation.com>, "'Wan-Teh Chang'" <wtc@google.com>
References: <523DF3AF.6060208@nthpermutation.com> <CALTJjxHBU+1GwKyrPhikWs2OzzQkieFZ4h2vrF+HJdadK=Qp3g@mail.gmail.com> <52425A2A.3060401@nthpermutation.com>
In-Reply-To: <52425A2A.3060401@nthpermutation.com>
Date: Wed, 25 Sep 2013 11:08:28 +0200
Message-ID: <016201ceb9ce$ccc77bb0$66567310$@offspark.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQFh5jpWJf69Lt53SBS6zYpd99BHlgMIBHvXAZaFk+uaitxjQA==
Content-Language: nl
X-SA-Exim-Connect-IP: 188.200.77.25
X-SA-Exim-Mail-From: p.j.bakker@offspark.com
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on vps2.brainspark.nl)
Cc: tls@ietf.org
Subject: Re: [TLS] New Key derivations for TLS1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Sep 2013 09:08:38 -0000

> Simply by adding the length fields to the KDF inputs used with the key
> material exporters.  So if an exporter needs 4 keys, there are 4 length
> values, 2 keys, 2 length values etc.   That makes what gets passed into
> the KDF the secret, the public values including the label,  and the length
of
> each key and that construct can be used for the pre-master to master,
> master to key expansion and for any key exporters.  This is just an
off-the-
> cuff suggestion at this point.
> 
> One other alternative is to only provide lengths for keys - anything
> after the end of the keys is public data.   That allows the
> private/public division  of data consistent with the current model without
> having to build a special function just for the key-expansion step.  And -
if
> you run this without providing any key lengths, you end up with the same
> key stream as the old function -and that simplifies the
> PKCS11 implementation.

Wouldn't using the 'ciphersuite id' in the KDF provide the same (as the
ciphersuite determines all those values) and is simpler in the process?