Re: [TLS] confirming the room’s consensus: adopt HKDF PRF for TLS 1.3
Peter Gutmann <pgut001@cs.auckland.ac.nz> Mon, 27 April 2015 06:06 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 944641B2E97 for <tls@ietfa.amsl.com>; Sun, 26 Apr 2015 23:06:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.909
X-Spam-Level:
X-Spam-Status: No, score=-3.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3plMpvB25CZs for <tls@ietfa.amsl.com>; Sun, 26 Apr 2015 23:06:08 -0700 (PDT)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.245]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A4DB1B2E96 for <tls@ietf.org>; Sun, 26 Apr 2015 23:06:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa; t=1430114769; x=1461650769; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=L/5ft0CKnk3HFNTZSfdbGGEftx12rmh/DfddN7CDkB0=; b=bW1/So3ONTRZThwl56Ea//PxCva16CJhVrUHo6UOq70zTBfVASHIjB3Y cLecFEB/+g5f0xtPG7pY/3oeh6eBr9adzcJs+WldHnyqxRucEw8dSSzBv hqAiLcGOnm+TukfCzCMdvrp1ezLTV6GDD6lsDmCsJe8nr+Vzweuu3d/ON A=;
X-IronPort-AV: E=Sophos;i="5.11,655,1422874800"; d="scan'208,217";a="321458680"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.106 - Outgoing - Outgoing
Received: from uxchange10-fe2.uoa.auckland.ac.nz ([130.216.4.106]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 27 Apr 2015 18:06:05 +1200
Received: from UXCN10-TDC05.UoA.auckland.ac.nz ([169.254.9.151]) by uxchange10-fe2.UoA.auckland.ac.nz ([130.216.4.106]) with mapi id 14.03.0174.001; Mon, 27 Apr 2015 18:06:04 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Michael StJohns <msj@nthpermutation.com>, Hugo Krawczyk <hugo@ee.technion.ac.il>
Thread-Topic: [TLS] confirming the room’s consensus: adopt HKDF PRF for TLS 1.3
Thread-Index: AQHQfUY+XGJjjqO7sUqFueKgZO+tjZ1Yy7OAgAFFkQCAAdcsgIAC+fIAgAAW34CAAAi+gIABY96D
Date: Mon, 27 Apr 2015 06:06:02 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73AB0084CA@uxcn10-tdc05.UoA.auckland.ac.nz>
References: <4A5C6D8F-6A28-4374-AF1F-3B202738FB1D@ieca.com> <551DDD4E.5070509@nthpermutation.com> <F7F3EB83-FEA2-477C-8810-38C49B71C977@ieca.com> <551E290D.7020207@nthpermutation.com> <55381768.8010402@nthpermutation.com> <CACsn0cm5A50dP4JDKq9R0XdB83hyzPPLQHAMnUcXFb+DCSwV7g@mail.gmail.com> <55392B08.6020304@nthpermutation.com> <CADi0yUPTixoesXkgd=HYe_+ua_+=_UfcDBSndCgdh1usTzNpzQ@mail.gmail.com> <553D3572.6040408@nthpermutation.com> <CADi0yUOnsD0Sasq7dRTbRpUm9jTg-uf+vjkkpMCxxsKXH0kqMw@mail.gmail.com>, <553D4FF7.8080700@nthpermutation.com>
In-Reply-To: <553D4FF7.8080700@nthpermutation.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: multipart/alternative; boundary="_000_9A043F3CF02CD34C8E74AC1594475C73AB0084CAuxcn10tdc05UoAa_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/6CAl-fTaZdcCMXwZUKpuQz6cIoA>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] confirming the room’s consensus: adopt HKDF PRF for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Apr 2015 06:06:11 -0000
Michael StJohns <msj@nthpermutation.com> writes: >This isn't about TLS specifically, but about how an HSM makes sure an >attacker can't extract TLS keys. Stepping back a bit in order to actually see the woods here, why is this an issue? Anyone who's using hardware for performance reasons will offload everything to an SSL terminator, almost everyone else who doesn't want to do that will do the crypto on the host, those worried about private-key security will store the server key in an HSM but not do the bulk crypto there because doing it on the host is typically much faster, and even if you do use PKCS #11 to do your bulk crypto for TLS, any attacker who's in a position to extract the session keys from an HSM via a PKCS #11 mechanism has to control the host it's talking to, in which case they've got direct access to the plaintext anyway. I realise that it's always possible to invent some scenario in which this is an issue, but how much of a real-world impact does it actually have? Bob Relyea suggested TLS 1.2 PRF mechanisms in 2007 on the old Cryptoki list (and it seemed his motivation for that was the need to be able to support it in Mozilla's softoken implementation, for which he needed a defined PKCS #11 mechanism), and OASIS is just getting around to finalising the standard for them now, seven years later. This would seem to indicate that the actual industry demand for this (not the hypothesised need but the real-world demand) is a giant who-cares. So as I've already said earlier in this discussion, create the best mechanism that's a combination of good crypto design principles and ease of implementation/deployment for existing implementations, and if someone specifically wants to do it in an HSM they'll have to accept that they're the odd corner case and deal with it. Peter.
- [TLS] confirming the room’s consensus: adopt HKDF… Sean Turner
- Re: [TLS] confirming the room’s consensus: adopt … Daniel Kahn Gillmor
- Re: [TLS] confirming the room’s consensus: adopt … Nikos Mavrogiannopoulos
- Re: [TLS] confirming the rooms consensus: adopt … Dan Harkins
- Re: [TLS] confirming the room’s consensus: adopt … Russ Housley
- Re: [TLS] confirming the room’s consensus: adopt … Brian Smith
- Re: [TLS] confirming the room’s consensus: adopt … Ilari Liusvaara
- Re: [TLS] confirming the room’s consensus: adopt … Sean Turner
- Re: [TLS] confirming the room’s consensus: adopt … Sean Turner
- Re: [TLS] confirming the room’s consensus: adopt … Yoav Nir
- [TLS] confirming the room’s consensus: adopt HKDF… Peter Gutmann
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Sean Turner
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Nikos Mavrogiannopoulos
- Re: [TLS] confirming the room’s consensus: adopt … Ilari Liusvaara
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Watson Ladd
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Hugo Krawczyk
- Re: [TLS] confirming the room’s consensus: adopt … Ilari Liusvaara
- Re: [TLS] confirming the room’s consensus: adopt … Andrey Jivsov
- Re: [TLS] confirming the room’s consensus: adopt … Ilari Liusvaara
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Hugo Krawczyk
- Re: [TLS] confirming the room’s consensus: adopt … Hugo Krawczyk
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Watson Ladd
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Peter Gutmann
- Re: [TLS] confirming the room’s consensus: adopt … Salz, Rich
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Hugo Krawczyk
- Re: [TLS] confirming the room’s consensus: adopt … Ilari Liusvaara
- Re: [TLS] confirming the room’s consensus: adopt … Sean Turner
- Re: [TLS] confirming the room’s consensus: adopt … Eric Rescorla