IETF Logo Mail Archive

Re: [TLS] PRF in TLS 1.2

Eric Rescorla <ekr@networkresonance.com> Mon, 18 September 2006 22:57 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GPS3m-0003xF-Ha; Mon, 18 Sep 2006 18:57:54 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GPS3l-0003x6-5G for tls@ietf.org; Mon, 18 Sep 2006 18:57:53 -0400
Received: from raman.networkresonance.com ([198.144.196.3]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GPS3i-0005Xm-Ps for tls@ietf.org; Mon, 18 Sep 2006 18:57:53 -0400
Received: by raman.networkresonance.com (Postfix, from userid 1001) id EED1C1E8C28; Mon, 18 Sep 2006 15:57:49 -0700 (PDT)
To: Wan-Teh Chang <wtchang@redhat.com>
Subject: Re: [TLS] PRF in TLS 1.2
References: <450F222D.2020706@redhat.com>
From: Eric Rescorla <ekr@networkresonance.com>
Date: Mon, 18 Sep 2006 15:57:49 -0700
In-Reply-To: <450F222D.2020706@redhat.com> (Wan-Teh Chang's message of "Mon, 18 Sep 2006 15:48:13 -0700")
Message-ID: <86k6403hqq.fsf@raman.networkresonance.com>
User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 3e15cc4fdc61d7bce84032741d11c8e5
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: EKR <ekr@networkresonance.com>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

Wan-Teh Chang <wtchang@redhat.com> writes:

> Hi,
>
> Could someone please post a description of what was decided
> about the PRF in TLS 1.2 in the Montreal WG meeting?
>
> The only documents I can find on this topic are:
>
> - Slide 7 of Eric's presentation
>   (http://www3.ietf.org/proceedings/06jul/slides/tls-1.pdf)
>
> - Eric's TLS WG Summary
>    http://www1.ietf.org/mail-archive/web/tls/current/msg00698.html
>
> But I can't tell from the WG summary what was decided and whether
> the proposal in Slide 7 was accepted.

Here's a summary of what was decided.

1. The default PRF is the TLS 1.1 PRF with a single hash algorithm
   and the entire key used as input to P_hash. 
2. All current cipher suites will use SHA-1 in TLS 1.2.
3. New cipher suites will by default use the TLS 1.1 PRF with whatever
   hash they're using for HMAC.
4. New cipher suites can define a new PRF but it must use the same 
   "API" as the TLS 1.1 PRF.

This is roughly what's in the current I-D, except that I deleted
a crucial paragraph through sloppy editing. It should read 
approximately:

	The PRF is derived from P_hash as:

	    PRF(secret, label, seed) = P_<hash>(secret, label + seed)

	Where <hash> is dependent on the cipher suite. For the
        cipher suites defined in this document it SHALL be SHA-1.
        For future cipher suites it SHALL be the hash used in
        the record HMAC unless otherwise specified in the cipher
        suite description.


> I'd also like to know what new PRFs have been proposed, and who
> the proponents are.

The new PRFs that people seem interested in are:

1. The GOST PRF (draft-chudov-cryptopro-cptls-03.txt)
2. The FIPS 800-56A KDF.

-Ekr




_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email