Re: [TLS] HKDF
Andrey Jivsov <crypto@brainhub.org> Tue, 24 March 2015 06:01 UTC
Return-Path: <crypto@brainhub.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C977C1B2CA2 for <tls@ietfa.amsl.com>; Mon, 23 Mar 2015 23:01:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IIVw8mxQ_40m for <tls@ietfa.amsl.com>; Mon, 23 Mar 2015 23:01:48 -0700 (PDT)
Received: from resqmta-po-11v.sys.comcast.net (resqmta-po-11v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:170]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71C681B2CA4 for <tls@ietf.org>; Mon, 23 Mar 2015 23:01:46 -0700 (PDT)
Received: from resomta-po-02v.sys.comcast.net ([96.114.154.226]) by resqmta-po-11v.sys.comcast.net with comcast id 7J1l1q0064tLnxL01J1lJc; Tue, 24 Mar 2015 06:01:45 +0000
Received: from [192.168.1.2] ([71.202.164.227]) by resomta-po-02v.sys.comcast.net with comcast id 7J1k1q00A4uhcbK01J1kYH; Tue, 24 Mar 2015 06:01:45 +0000
Message-ID: <5510FDC8.1060702@brainhub.org>
Date: Mon, 23 Mar 2015 23:01:44 -0700
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: tls@ietf.org
References: <CABcZeBPa3j+EfMkPik7r5G-qcBpYkXTFWwYwuCeE38mFjUwpJw@mail.gmail.com> <7FA320AE-B9C2-412D-B84B-DB4CAB05B325@gmail.com>
In-Reply-To: <7FA320AE-B9C2-412D-B84B-DB4CAB05B325@gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1427176905; bh=iGNLXPj0Y42XqVVZOZE+r30XnqGUWRWbox0DTTldq7I=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=Pcjrpu/7CRarjkDU24EK3Ro13TsTHf4cHF+TxBTVZn6lOqvw9oc41IKH6fILzw2lq nfd3D0Mc3LXnUO+NoE3vyyYk5VjzCj1SJ5zM3D5fYVdpLOQTmqRvTuuJZEProQODBd OeoPmK0pu50petG//aNq0FvWPLO3CWkYAbxFVLJH8vnbuw51duIX6DiLZoOFq6/t59 0QMlYthzrKSqJLZKEziU26UuneL0kU6pCl96+0oE3orWV3B7nCmQyboHnTQZuayix4 8XOnScYS2FrVuTQa9VAZOtG1gdktagG9RFvjoSDOPYEqD1bPHywfyI91Wpk8hzAS0I PuWVc59lFBLSw==
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/CXkpuii--FmVgyOAc--mk9vi5sc>
Subject: Re: [TLS] HKDF
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2015 06:01:50 -0000
On 03/23/2015 09:58 PM, Yoav Nir wrote: >> On Mar 23, 2015, at 9:19 AM, Eric Rescorla <ekr@rtfm.com> wrote: >> >> As I mentioned in a previous message [0] during the interim we discussed >> moving from the TLS PRF to HKDF [RFC5869]. >> >> The general sentiment was: >> >> - Move to HKDF >> - Specify both SHA-256 and SHA-384 (the latter being required for >> Suite B) >> >> This is also the time when we would want to look at adjusting >> the key expansion to separate keys and IVs (assuming we still >> have IVs). >> >> Please use this thread to discuss this topic. >> > OK, since you’re proposing to abandon the current TLS PRF: > > 1. Why? What is wrong with the TLS PRF, and > 2. If we’re changing it, why not to a fast PRF such as blake2? > > Yoav > I am somewhat sympathetic to this sentiment. Please also consider that KDFs and related processes are standardized by NIST. E.g.: 1. NIST-prescribed way to do KDF, SP 800 108A (it includes HMAC KDF for key expansion) 2. NIST DH schemes include KDF, SP 800-56A rev2 (HKDF paper of 2010 criticizes the first revision; rev 2 is dated 2015) 3. NIST grandfathered TLS KDF in SP 800-135. 4. A very similar SP 800-56C that documents Extraction-then-Expansion, where expansion is done with #1 (credits Hugo Krawczyk, among others) Please note that at least some of these can be FIPS 140 tested (in particular, TLS PRF). Suite B expects the use of these approved KDFs. While NIST is perhaps too prolific with these, I feel that we should look into standard KDFs. There are test vectors, verifications systems, existing implementations...
- [TLS] HKDF Eric Rescorla
- Re: [TLS] HKDF Dave Garrett
- Re: [TLS] HKDF Yoav Nir
- Re: [TLS] HKDF Andrey Jivsov
- Re: [TLS] HKDF Yoav Nir
- Re: [TLS] HKDF Ilari Liusvaara
- Re: [TLS] HKDF Hugo Krawczyk
- Re: [TLS] HKDF Andrey Jivsov
- Re: [TLS] HKDF Andrey Jivsov
- Re: [TLS] HKDF Hugo Krawczyk
- Re: [TLS] HKDF Nikos Mavrogiannopoulos
- Re: [TLS] HKDF Ilari Liusvaara
- Re: [TLS] HKDF Brian Smith
- Re: [TLS] HKDF Eric Rescorla
- Re: [TLS] HKDF Hugo Krawczyk
- Re: [TLS] HKDF Brian Smith
- Re: [TLS] HKDF Ilari Liusvaara
- Re: [TLS] HKDF Ilari Liusvaara
- Re: [TLS] HKDF Michael StJohns
- Re: [TLS] HKDF Michael StJohns
- Re: [TLS] HKDF Ilari Liusvaara
- Re: [TLS] HKDF Richard Moore
- Re: [TLS] HKDF Watson Ladd