Re: [TLS] HKDF
Hugo Krawczyk <hugo@ee.technion.ac.il> Tue, 24 March 2015 17:29 UTC
Return-Path: <hugokraw@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B62721AC3CF for <tls@ietfa.amsl.com>; Tue, 24 Mar 2015 10:29:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CER2owxFuSwW for <tls@ietfa.amsl.com>; Tue, 24 Mar 2015 10:29:48 -0700 (PDT)
Received: from mail-lb0-x22c.google.com (mail-lb0-x22c.google.com [IPv6:2a00:1450:4010:c04::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 380CA1A923B for <tls@ietf.org>; Tue, 24 Mar 2015 10:29:48 -0700 (PDT)
Received: by lbcgn8 with SMTP id gn8so145992878lbc.2 for <tls@ietf.org>; Tue, 24 Mar 2015 10:29:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=cfpaOcFh7o4LVkYGfnE2HC6GkE+Ip7mtWaNsoAtLJuo=; b=zdZMczlMM2Dq9iApxDD+/nfXdGHz/bUFvqCPVpdLGxOZGHS7ZwVsWqWPih7mY+uqMa IG1N/BhT21fgMMD4j0YRpiq5h/xJmKYIEGPi0L49DSjrrk4gjC4t3mvUxLfSL7G5VTzg c9jSPzHq2BnvYEtCRXTGbIDvg8jJYXHYgWagb5YyOvjjsb95Krbdu3NX+jv52szrKgdv oWAtGaI+YRT6CgZIIbzJnnVj2uRQzrGKnQwazlsAsU7N8OuhohTkcRkTV3sSZVKFYFh6 HIioJuGlIo2O61FIU/3o1JNWkYB0PP/j3d4gqdg2iWlTPYBfoKyvaIUicVoemSOnk3Mx kphg==
X-Received: by 10.112.170.100 with SMTP id al4mr4801328lbc.42.1427218185635; Tue, 24 Mar 2015 10:29:45 -0700 (PDT)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.25.78.19 with HTTP; Tue, 24 Mar 2015 10:29:15 -0700 (PDT)
In-Reply-To: <20150324121632.GA28552@LK-Perkele-VII>
References: <CABcZeBPa3j+EfMkPik7r5G-qcBpYkXTFWwYwuCeE38mFjUwpJw@mail.gmail.com> <7FA320AE-B9C2-412D-B84B-DB4CAB05B325@gmail.com> <5510FDC8.1060702@brainhub.org> <358E3F82-0777-42A1-AA75-F31AA3C2103B@gmail.com> <20150324121632.GA28552@LK-Perkele-VII>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Tue, 24 Mar 2015 13:29:15 -0400
X-Google-Sender-Auth: BEbwnk9aPeHWZJ02_yadqXUvyHk
Message-ID: <CADi0yUOwxpuKWJCsVx65ZuzBr2ipj2ScGW-HTavLLQDKVXA5iw@mail.gmail.com>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Content-Type: multipart/alternative; boundary="001a11c23686f8cbe305120c208a"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/82x8GC-o8z9zL1f03jPgKGK2yKM>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] HKDF
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2015 17:29:51 -0000
Here are some clarifications about HKDF that can help better understanding its rationale and use in (OP)TLS. Note: all places where I say random it can (and sometimes should) be replaced by pseudo-random meaning indistinguishable from a uniform random string. - HKDF is standardized by NIST (as an *approved* KDF mechanism) in SP-800-56C where it is explicitly stated that HKDF complies with this standard: "IETF RFC 5869 [10] describes an instantiation of the above extraction-then-expansion key derivation procedure using HMAC for the extraction and expansion steps. For extensive rationale on the key derivation through the extraction-then-expansion procedure specified in this Recommendation see [11]." For those interested, [11] appeared in Crypto 2010 and is here http://eprint.iacr.org/2010/264. - HKDF uses a two-step mechanism by which one first extracts randomness from a possibly non-uniform secret input to create a uniformly random string that is then used with a regular PRF to generate keying material. In (OP)TLS we denote the two steps as HKDF-Extract and HKDF-Expand. The rationale of the extraction part is to concentrate the "secret entropy" of the input on a single strong cryptographic key (from which more keys can be derived). - HKDF uses HMAC for both extract and expand but it could use, in principle, any regular PRF (including those from NIST) for expansion. Extraction is trickier since it is not a generic property of PRFs. The reason to use HMAC for it is that the HMAC construction has properties that support the extraction functionality under reasonable cryptographic assumptions. - Skipping the extraction property would require keying a PRF with a non-uniform key in which case the usual properties of PRF cannot be guaranteed as these properties assume a uniform random key. In TLS with RSA this was not a problem since the key transported under RSA was chosen as a random uniform string. When using a DH key or passphrase this is not the case. - Beyond the important cryptographic reasons for the extraction step, this also solves the problem of having to adapt the size of the secret input to that of a length of the key in the PRF: for example, how do you key AES-256 with a point on a 512 elliptic curve? Even with a 256 curve you would require point compression which you may or may not want to use (I hope this comment does not open a discussion of EC point representations :-). - The expansion function of HKDF is HMAC-based and is ESSENTIALLY THE SAME as in previous TLS. It even has the same feedback mode that TLS uses to expand a key (the exact inputs to the iterations changes a bit but nothing major). - There is no need for ultimate performance in the key derivation in TLS. These operations are relative minor compared to the algebraic operations. - There is nothing that ties HKDF to OPTLS in a fundamental way other than it supports the provability of the protocol, hence improving the confidence on its design. In particular, it supports a clean hierarchical key derivation for all the protocol modes. Hugo On Tue, Mar 24, 2015 at 8:16 AM, Ilari Liusvaara < ilari.liusvaara@elisanet.fi> wrote: > On Tue, Mar 24, 2015 at 06:39:43AM -0500, Yoav Nir wrote: > > > > > On Mar 24, 2015, at 1:01 AM, Andrey Jivsov <crypto@brainhub.org> > wrote: > > > > > > Please note that at least some of these can be FIPS 140 tested (in > particular, TLS PRF). Suite B expects the use of these approved KDFs. > > > > > > While NIST is perhaps too prolific with these, I feel that we should > look into standard KDFs. There are test vectors, verifications systems, > existing implementations… > > > > If such a KDF is needed for Suite-B, then it makes sense for Suite-B > ciphersuites - the ones with ECDSA, P-256 or P-384 for ECDHE, and AES-GCM. > > > > Why not include a different PRF in those suites that have > non-NIST-approved algorithms such as ChaCha20, Curve25519, and whatever > signature scheme CFRG are going to recommend? > > Or even special Suite B ciphersuites. I think there are only 2 of > those. > > - ECDHE/P-256, ECDSA/P-256, AES-128-GCM, SHA-256 > - ECDHE/P-384, ECDSA/P-384, AES-256-GCM, SHA-384 > > The basic idea being: They who care can implement that. > > > -Ilari > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] HKDF Eric Rescorla
- Re: [TLS] HKDF Dave Garrett
- Re: [TLS] HKDF Yoav Nir
- Re: [TLS] HKDF Andrey Jivsov
- Re: [TLS] HKDF Yoav Nir
- Re: [TLS] HKDF Ilari Liusvaara
- Re: [TLS] HKDF Hugo Krawczyk
- Re: [TLS] HKDF Andrey Jivsov
- Re: [TLS] HKDF Andrey Jivsov
- Re: [TLS] HKDF Hugo Krawczyk
- Re: [TLS] HKDF Nikos Mavrogiannopoulos
- Re: [TLS] HKDF Ilari Liusvaara
- Re: [TLS] HKDF Brian Smith
- Re: [TLS] HKDF Eric Rescorla
- Re: [TLS] HKDF Hugo Krawczyk
- Re: [TLS] HKDF Brian Smith
- Re: [TLS] HKDF Ilari Liusvaara
- Re: [TLS] HKDF Ilari Liusvaara
- Re: [TLS] HKDF Michael StJohns
- Re: [TLS] HKDF Michael StJohns
- Re: [TLS] HKDF Ilari Liusvaara
- Re: [TLS] HKDF Richard Moore
- Re: [TLS] HKDF Watson Ladd