Re: [TLS] Binder key labels for imported PSKs

Benjamin Beurdouche <benjamin.beurdouche@inria.fr> Tue, 03 September 2019 06:34 UTC

Return-Path: <benjamin.beurdouche@inria.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35ABE1201E0 for <tls@ietfa.amsl.com>; Mon, 2 Sep 2019 23:34:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PkeBVB1zBEGQ for <tls@ietfa.amsl.com>; Mon, 2 Sep 2019 23:34:47 -0700 (PDT)
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0D531200FB for <TLS@ietf.org>; Mon, 2 Sep 2019 23:34:46 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.64,462,1559512800"; d="scan'208";a="399950830"
Received: from lfbn-1-1155-200.w86-252.abo.wanadoo.fr (HELO [192.168.1.17]) ([86.252.23.200]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 03 Sep 2019 08:34:45 +0200
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (1.0)
From: Benjamin Beurdouche <benjamin.beurdouche@inria.fr>
X-Mailer: iPhone Mail (16G77)
In-Reply-To: <be3e3ff3-9561-46a2-a849-382abc847b2a@www.fastmail.com>
Date: Tue, 3 Sep 2019 08:34:44 +0200
Cc: "TLS@ietf.org" <TLS@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <0DC5CA97-CE3C-4FA8-8343-AC387CDB88DC@inria.fr>
References: <be3e3ff3-9561-46a2-a849-382abc847b2a@www.fastmail.com>
To: Christopher Wood <caw@heapingbits.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/72t3Y82H0Q0cFmjXe44xMfB8dQ8>
Subject: Re: [TLS] Binder key labels for imported PSKs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2019 06:34:49 -0000

Hi Chris,

I expect that the idea is to have key separation for the binder key depending on the usage. Having this kind of property is always a good practice, so I agree with Jonathan on this.

B.



> On Sep 3, 2019, at 1:29 AM, Christopher Wood <caw@heapingbits.net>; wrote:
> 
> Hi folks,
> 
> 
> Per Jonathan Hoyland's recommendation, we're considering adding a new binder_key label ("imp binder") for imported PSKs. Specifically, this changes the key schedule from this:
> 
> ~~~
>              0
>              |
>              v
>    PSK ->  HKDF-Extract = Early Secret
>              |
>              +-----> Derive-Secret(., "ext binder" | "res binder", "")
>              |                     = binder_key
> ~~~
> 
> to this:
> 
> ~~~
>              0
>              |
>              v
>    PSK ->  HKDF-Extract = Early Secret
>              |
>              +-----> Derive-Secret(., "ext binder"
>              |                      | "res binder"
>              |                      | "imp binder", "")
>              |                     = binder_key
> ~~~
> 
> Details can be found in the PR [1]. 
> 
> This does not seem to affect the interoperability story (imported keys are further differentiated from non-imported keys). However, it's non trivial, so we'd like feedback from the group before merging the change.
> 
> Thanks!
> Chris (no hat)
> 
> [1] https://github.com/tlswg/draft-ietf-tls-external-psk-importer/pull/10
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls