IETF Logo Mail Archive

Re: [TLS] PRF digest function for ChaCha20-Poly1305 cipher suites

Brian Smith <brian@briansmith.org> Mon, 21 December 2015 01:13 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B02A51A711A for <tls@ietfa.amsl.com>; Sun, 20 Dec 2015 17:13:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eui-qfhhbNeI for <tls@ietfa.amsl.com>; Sun, 20 Dec 2015 17:13:21 -0800 (PST)
Received: from mail-ob0-x235.google.com (mail-ob0-x235.google.com [IPv6:2607:f8b0:4003:c01::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B0261A7113 for <tls@ietf.org>; Sun, 20 Dec 2015 17:13:21 -0800 (PST)
Received: by mail-ob0-x235.google.com with SMTP id ba1so21711919obb.3 for <tls@ietf.org>; Sun, 20 Dec 2015 17:13:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=x3IzB4QbNrAxeuc5u0GgGiZhHBxKJ1oyTJ1PKIICJG8=; b=Oogp1ZLE46+hXiaf01y3gS6iZLhsZieRQ7DvRKXDzyCdacDNikBt25vj9i7okusF6e aufnNNk/J+pUawXNKGiRTtjhWMGYlI0aC0GoqU+kobNAs9fNZqiJjnVLym71diUH/65r p5O5E1Q2KVZ2HEJIn47ORuix6+DJuRQODt77Fs57h5fcbg8lQj5vIIMwfVQpPb2/Fvu6 vqLAzuGIT6y/Z0ypgUbrePpfqRWk+2NFXiwtenNtKSFquJSK5Q54mwVuHEqmz7XAsbw/ nCo8gxb8L6SGGeqigp66sB390zKJq/6UavKfhlcNTxzA7wULg0iDjaPlHW+BEUgS7Eyc k3CQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=x3IzB4QbNrAxeuc5u0GgGiZhHBxKJ1oyTJ1PKIICJG8=; b=MyDjsmelPW6VkNRMnmLdT8myB1S5KCuaOo1w14xV0LRJuOzw7TuuaCrVqKk0mdg791 /DikAd+XFMF/ysX7qM2QXh42qmKHSM72XDCgpyTW+55rSw4D5mh+iRFh1sVsEsXoUlai t28wVuzdgAqdHwgXNQtlaNpCXK8JDTmy1xXtpi1r+wNxVSTPMLVL/nMHmi9UOWPX/Yos u6LlR/NVRrurgm66AUQubNGGP5gg4wGOBsFjc+UaW5Lez8liba19sdZeljNEu7D14EiC 4R/Me8jjlxOf5dKnGr1gQQQYlS10dWdyPgDf7+niMVRxct+jFljT+Cn2sWYHgzk++eyu Lg3w==
X-Gm-Message-State: ALoCoQnsbVIk9sISD5o6fK9puVkrCInSaarI7soc5cLGLjxzuOkRs+Q4viG+9Ay6LXK/5n6x5MyJP9dGpxfI1+810dCJqY67pw==
MIME-Version: 1.0
X-Received: by 10.60.82.101 with SMTP id h5mr6171572oey.44.1450660400548; Sun, 20 Dec 2015 17:13:20 -0800 (PST)
Received: by 10.76.62.8 with HTTP; Sun, 20 Dec 2015 17:13:20 -0800 (PST)
In-Reply-To: <CAMfhd9WV=VPECOJG30cskeFtUkfGN3BM5S-n6ctCXFkW2-38jw@mail.gmail.com>
References: <CAFewVt6=ztWUs-i5EvGaFE=_r_UgHsr_KsOwFyX+ngx6_J-tnA@mail.gmail.com> <CAFewVt7G3FVEyapwL=GE=fZ2HFaaJEYQv0rp-GmA_EdkhyQx=w@mail.gmail.com> <CAMfhd9WV=VPECOJG30cskeFtUkfGN3BM5S-n6ctCXFkW2-38jw@mail.gmail.com>
Date: Sun, 20 Dec 2015 15:13:20 -1000
Message-ID: <CAFewVt5aNfUyts=OvDnhXoYA5xerpYsdoLiSmEHDEDHhqAsPDQ@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Adam Langley <agl@imperialviolet.org>
Content-Type: multipart/alternative; boundary="047d7b676d3edd67ac05275e31df"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/8XDgA2K9eYMd0pyUsN4nAd3T-0w>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] PRF digest function for ChaCha20-Poly1305 cipher suites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Dec 2015 01:13:22 -0000

Adam Langley <agl@imperialviolet.org> wrote:

> On Fri, Dec 18, 2015 at 1:43 PM, Brian Smith <brian@briansmith.org> wrote:
> > That is, it seems it would be better to use HKDF-SHA512 instead of
> > **HKDF-SHA256**.
>
> I assume that you mean for TLS 1.3 since you mention HKDF?


No, I mean for all versions of TLS.


> I updated
> the draft recently because David Benjamin noted that the names didn't
> include the PRF (which they should these days) and that OpenSSL, at
> least, used SHA-256, so might as well make the spec match reality.
>

The version of OpenSSL that implements these cipher suites is not released
yet. They updated that  implementation just 9 days ago, so it seems pretty
malleable still.


> So, the current code points are probably SHA-256 now. I don't object
> to adding more if people want SHA-384 too. Although, since the hash
> function is only used in key derivation with these cipher suites,


I don't think it would be a good idea to add more code points to negotiate
SHA-512 in the PRF while still leaving code points for negotiating SHA-256
in the PRF. It should be one or the other.


> I'm
> not sure that a slower, software implementation of SHA-256 would be a
> big problem.


It just seems really unfortunate to mandate SHA-512 for Ed25519 and then
mandate SHA-256 for ChaCha20-Poly1305 in TLS. Mandating the same algorithm
for both seems like a better idea.

Cheers,
Brian
-- 
https://briansmith.org/

v2.23.0 | Report a Bug | By Email