Re: [TLS] confirming the room’s consensus: adopt HKDF PRF for TLS 1.3

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Tue, 28 April 2015 06:34 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 532CA1A026A for <tls@ietfa.amsl.com>; Mon, 27 Apr 2015 23:34:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.601
X-Spam-Level:
X-Spam-Status: No, score=-1.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nAAM1tvfIXKj for <tls@ietfa.amsl.com>; Mon, 27 Apr 2015 23:34:50 -0700 (PDT)
Received: from emh02.mail.saunalahti.fi (emh02.mail.saunalahti.fi [62.142.5.108]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F38031A0354 for <tls@ietf.org>; Mon, 27 Apr 2015 23:34:28 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh02.mail.saunalahti.fi (Postfix) with ESMTP id 6018981976; Tue, 28 Apr 2015 09:34:26 +0300 (EEST)
Date: Tue, 28 Apr 2015 09:34:25 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Hugo Krawczyk <hugo@ee.technion.ac.il>
Message-ID: <20150428063425.GA9647@LK-Perkele-VII>
References: <F7F3EB83-FEA2-477C-8810-38C49B71C977@ieca.com> <551E290D.7020207@nthpermutation.com> <55381768.8010402@nthpermutation.com> <CACsn0cm5A50dP4JDKq9R0XdB83hyzPPLQHAMnUcXFb+DCSwV7g@mail.gmail.com> <55392B08.6020304@nthpermutation.com> <CADi0yUPTixoesXkgd=HYe_+ua_+=_UfcDBSndCgdh1usTzNpzQ@mail.gmail.com> <553D3572.6040408@nthpermutation.com> <CADi0yUOnsD0Sasq7dRTbRpUm9jTg-uf+vjkkpMCxxsKXH0kqMw@mail.gmail.com> <553D4FF7.8080700@nthpermutation.com> <CADi0yUNmOYa3D1z2d+VU2tX5ad5FfiwX5MtocL2yNvdduUgNmA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <CADi0yUNmOYa3D1z2d+VU2tX5ad5FfiwX5MtocL2yNvdduUgNmA@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/HmwyBzgx8oCjcyR9Z1HWhOHT4xU>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] =?utf-8?q?confirming_the_room=E2=80=99s__consensus=3A_adopt?= =?utf-8?q?_HKDF_PRF_for_TLS_1=2E3?=
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2015 06:34:52 -0000

On Tue, Apr 28, 2015 at 01:48:35AM -0400, Hugo Krawczyk wrote:
> Mike, thanks a lot for the clear explanation!
> I think I can now understand the issues you were raising. Sorry for my
> ignorance.
> 
> One thing I (think I) understand now is that this discussion had little to
> do with HKDF (specifically) but rather has to do with the inputs to the KDF
> function defined by the calling protocol, say TLS 1.3.
> 
> We can define TLS 1.3 so that calls to HKDF will always include a info
> string composed of:
> label, context (say, session-hash) and the length L of the output key
> material.
> Now, in the HSM implementation you will read the values label and context
> from the user's input but L will  be added by the HSM itself by calculating
> the length of the required key. In non-HSM implementations the software
> will add L.

I think some proposals also had key usage for derived key as an input.

Some examples of possible usages:
- KDF input key (e.g. handshake master secret)
- AES-GCM key
- AES-CCM key
- AES-CCM8 key
- Chacha20-Poly1305 key
- HMAC-SHA256 key (MAC-only key)
- Initial IV (you have other exportables anyway)
- Exportable octet string (e.g. the unique output)


This doesn't look too difficult to add (e.g. just stick as two first
octets of info or something).


-Ilari