Re: [TLS] Adding an additional step to exporters
Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 24 February 2017 10:02 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD21D12956A for <tls@ietfa.amsl.com>; Fri, 24 Feb 2017 02:02:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HTYRGnC61Mky for <tls@ietfa.amsl.com>; Fri, 24 Feb 2017 02:02:13 -0800 (PST)
Received: from welho-filter4.welho.com (welho-filter4.welho.com [83.102.41.26]) by ietfa.amsl.com (Postfix) with ESMTP id 09D2B12949A for <tls@ietf.org>; Fri, 24 Feb 2017 02:02:12 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id 46F821D75E; Fri, 24 Feb 2017 12:02:10 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id D1hCMC4WQoLu; Fri, 24 Feb 2017 12:02:06 +0200 (EET)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 206EBC4; Fri, 24 Feb 2017 12:02:06 +0200 (EET)
Date: Fri, 24 Feb 2017 12:02:02 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Martin Thomson <martin.thomson@gmail.com>
Message-ID: <20170224100201.GA10341@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CABkgnnVo0gU=jaR-qV4hypmsjVW6Vdu1RizVD0OPh0ry6vzKfQ@mail.gmail.com> <04431852-c05f-7db8-faf1-7aa622c01b75@cs.tu-darmstadt.de> <CABkgnnU2fXmh=MRANU341n+G16t=Dnt8vQeCSHV4=J=89nWBhQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CABkgnnU2fXmh=MRANU341n+G16t=Dnt8vQeCSHV4=J=89nWBhQ@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9DxuVavzmkAMvweb5L9q33-hdsM>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Adding an additional step to exporters
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Feb 2017 10:02:16 -0000
On Fri, Feb 24, 2017 at 04:40:19PM +1100, Martin Thomson wrote: > On 24 February 2017 at 16:01, Sean Turner <sean@sn3rd.com> wrote: > > So this isn’t entirely novel right I mean we did something similar wrt other key schedules? > > I certainly hope it isn't novel. I'm just applying the same > technique: keep independent keys independent. This technique seems to assume there is some fixed known set of exporter labels that are used. Since if you don't know the full set, you need to keep the master exporter secret around anyway. > On 24 February 2017 at 16:09, Felix Günther <guenther@cs.tu-darmstadt.de> wrote: > > just to clarify: you add an additional HKDF.Expand step, not > > HKDF.Extract, right? > > Yes, you are right, I should have said expand. You need to use expand > to get the label-based separation on type. > > I don't know how I got confused about that. If we need to maintain > extract and expand in pairs (as we have already been burned by), then > I will defer to cryptographers on that. The creator of HKDF stated that HKDF should always be used with paired extracts and expands and any derpartion from that should be done with utmost care. Both the existing design and this design fail this: Because exporter secrets are of expanded type, you would need to extract them, and derive-secret is expansion type operation. Note that passing label as salt is definitely very bad idea, since you will get trivial collisions due to how HKDF works internally. And doing so even with hash might be a bad idea. -Ilari
- [TLS] Adding an additional step to exporters Martin Thomson
- Re: [TLS] Adding an additional step to exporters Sean Turner
- Re: [TLS] Adding an additional step to exporters Felix Günther
- Re: [TLS] Adding an additional step to exporters Martin Thomson
- Re: [TLS] Adding an additional step to exporters Ilari Liusvaara
- Re: [TLS] Adding an additional step to exporters Hugo Krawczyk
- Re: [TLS] Adding an additional step to exporters Ilari Liusvaara
- Re: [TLS] Adding an additional step to exporters Martin Thomson
- Re: [TLS] Adding an additional step to exporters Martin Thomson