Re: [TLS] confirming the room’s consensus: adopt HKDF PRF for TLS 1.3

Watson Ladd <> Wed, 22 April 2015 22:00 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 3D5E41B2AD3 for <>; Wed, 22 Apr 2015 15:00:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jlz-Kqo75ys3 for <>; Wed, 22 Apr 2015 15:00:16 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c00::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A443F1B2AD4 for <>; Wed, 22 Apr 2015 15:00:15 -0700 (PDT)
Received: by wgyo15 with SMTP id o15so261288610wgy.2 for <>; Wed, 22 Apr 2015 15:00:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=TBr+RSuRvN3wdXi+13Y4vD+KtNmywsYjM0FnbCWtYd4=; b=DyxL9ELwr0q+u/BANr42gOex0HZ/FKLSf5DwABNgnyVdxbE/k9TY8xE5XUYFzphSqk jBxkl8G/UM3ZMYtEH08WjEe656+5S0D3KXrCl8ENTW8n73JtPsQnCKl2DMUKbWozQLVT 7En4yvfD1h/TAVqVCCIzu68LvVDKMu1oqrnJKEfBesGbxvJ52V0JLgxi9mHOhTkuHspo +5YwniDTSSfnyF8QfmLA2InVzzT7TkLK6wlBmaXEi44l2KSUUYqPVpXXju8ciI4xc/2Y 73lfpJCc/teVw1vlPbbP9e9kO+ny/HwwtaJZNzke/PQfENW3R+Sfr++G12FtDVYf+QlP QOdA==
MIME-Version: 1.0
X-Received: by with SMTP id gp9mr9899231wib.83.1429740014368; Wed, 22 Apr 2015 15:00:14 -0700 (PDT)
Received: by with HTTP; Wed, 22 Apr 2015 15:00:13 -0700 (PDT)
Received: by with HTTP; Wed, 22 Apr 2015 15:00:13 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <>
Date: Wed, 22 Apr 2015 15:00:13 -0700
Message-ID: <>
From: Watson Ladd <>
To: Michael StJohns <>
Content-Type: multipart/alternative; boundary="f46d0442883ead7d780514574973"
Archived-At: <>
Subject: Re: [TLS] confirming the room’s consensus: adopt HKDF PRF for TLS 1.3
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 22 Apr 2015 22:00:18 -0000

On Apr 22, 2015 2:49 PM, "Michael StJohns" <> wrote:
> I'm top posting my own post....
> Sean et al:
> After spending a bit more time looking at things from the view point of
HSMs and cryptographic isolation, I'm now of the opinion that HKDF
shouldn't be specified.
> The specific issue is the difference between HDKF step 2 and the
SP800-108 expansion functions.   Cryptographically, these specifications
are close to identical except for the inclusion of a mandatory length term
in the mixin values.   Without this term, a key stream produced from the
same mixins (e.g. same label, randoms etc) for the same master key will be
identical regardless of the length of the output key(s).
> E.g. if one call to the KDF has a target key of AES128 and another call
to the KDF using the same master key and mixins has a target key of a
single octet HMAC key, the first octet of the AES key will be identical to
that single octet HMAC key.    Using this construct with increasingly
longer HMAC keys (thanks to HMAC's impedance matching function) will
eventually reveal each and every byte of the AES key.

What if the first call for the HMAC key is 128 bits, and we use a broken

Your example demonstrates why the sane data shouldn't be used for two
different purposes. In fact, it's not clear to me that we can make an HSM
friendly design without telling the HSM which derived values are exportable
and which not.

If we ensured that no value derived by HKDF ever is not used as an
encryption key, this would solve the problem at the cost of some pain with
channel binding. But this would be a very large change.

> In an HSM, there is no way to differentiate these two different KDF calls
for legitimacy.
> If the KDF mixes in the length of the to be output key material, then any
change in the length of the requested key changes the entire key stream.
> I see three different approaches to fix this - 1) specify the SP800-56C
with SP800-108 HMAC, 2) add the length term to the HKDF RFC and republish
it, 3) ensure one or more length terms are included in the "info" for ALL
KDF calls for TLS and document why.
> Mike
> On 4/3/2015 1:45 AM, Michael StJohns wrote:
>> On 4/2/2015 10:04 PM, Sean Turner wrote:
>>> On Apr 02, 2015, at 20:22, Michael StJohns <>
>>>>  I will note that the author claimed in his paper that the IETF was
standardizing this, but I can't find any data suggesting this actually went
through the IETF standardization process (vs independent informational RFC
submission process).  It did garner some review on the CFRG mailing list,
but not to what I normally think of as comprehensive and resolving all
>>> The pre-5869 draft was AD sponsored by Tim Polk.  The IETF LC can be
found here:
>> I saw that, but that's for Informational, not Standard.  Different bar.
>>> We can refer to it normatively if we want to, we just have to make sure
the DOWNREF is explicitly cited, as per RFC 3647.
>> Yup.  But considering that the difference between HKDF vs the
combination of SP800-56C plus SP800-108 section 5.2 is the placement of the
iteration value in what gets HMAC'd and the fact that the HDKF doesn't mix
in the total length of the data to be output,  I'd rather use the latter
cites if we could even if they require an extra paragraph to describe the
selected sizes of L and i and what goes in to Label and Context (basically
"info" by another name).
>> AFAICT, the addition of the L of the output to the data HMAC'd is there
to force a change to the key stream if the length of the output key stream
changes and that's probably a good additional security property.  Other
than that, I would say that these are pretty much identical in
cryptographic composition.
>> Lastly, I still have hopes one day to remove the requirement for the
dependency on a HASH function in the handshake and this construct allows
for a CMAC based MAC.
>> Again - I can live with HKDF, but I'm unclear of why citing the RFC is a
better choice given the above comparison.
>> Thanks - Mike
>> ps - I will write the paragraph for SP800-56C/108 inclusion if you want
if we go that way.
>>> spt
> _______________________________________________
> TLS mailing list