Re: [TLS] Key Schedule (PRs #453, #454).
Ilari Liusvaara <ilariliusvaara@welho.com> Thu, 19 May 2016 19:11 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DB4712D62D for <tls@ietfa.amsl.com>; Thu, 19 May 2016 12:11:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.315
X-Spam-Level:
X-Spam-Status: No, score=-3.315 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_BL=0.01, RCVD_IN_MSPIKE_L4=0.001, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8TDW42nLH8mp for <tls@ietfa.amsl.com>; Thu, 19 May 2016 12:11:57 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) by ietfa.amsl.com (Postfix) with ESMTP id 5170F12DAFD for <tls@ietf.org>; Thu, 19 May 2016 12:11:57 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id 3CF1DF923; Thu, 19 May 2016 22:11:56 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id VeMEbA50A9K4; Thu, 19 May 2016 22:11:55 +0300 (EEST)
Received: from LK-Perkele-V2 (87-100-155-121.bb.dnainternet.fi [87.100.155.121]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id D85AA2310; Thu, 19 May 2016 22:11:55 +0300 (EEST)
Date: Thu, 19 May 2016 22:11:53 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20160519191152.GA4667@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CABcZeBN+T1uAc8Eye3Q7M7W96XJoG8+=Ng+uZNzzf-XeJWY_7Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABcZeBN+T1uAc8Eye3Q7M7W96XJoG8+=Ng+uZNzzf-XeJWY_7Q@mail.gmail.com>
User-Agent: Mutt/1.6.0 (2016-04-01)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ILazjQwgvUHWw_otXaFST3cipr8>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Key Schedule (PRs #453, #454).
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 May 2016 19:11:59 -0000
On Thu, May 19, 2016 at 10:41:16AM -0700, Eric Rescorla wrote: > > An additional nice point about this design is that it easily > accomodates additional keys. For instance, if we had some post-quantum > key exchange method, we could easily add its key in the final > Add-Secret or add an extra Add-Secret stage before HS. Similarly, if > we had a long-term DH key as in OPTLSv1, it could replace the 0 in the > final Add-Secret. Just one thing to be careful of: If one has off-handshake counter- keys[1] (like the now-removed GDH 0-RTT mode had), one needs to hash those in, or one gets all kinds of crypto screw (which may or may not be actually exploitable...) The "context identifier" looks real handy for that purpose... > CONTEXT IDENTIFIER > > The resumption_psk is then used as the PSK for resumption and the > resumption_context is added to the hash of the handshake messages > whenever you use them, currently just by appending to the hash, as in: > > Hash(handshake messages) +resumption_context > > This is used *both* to derive the keys and for the input to > the CertificateVerify/Finished. For convenience, I've Oh, even better than the original "contexts" proposal, as this is non-checked. As said, if you ever need off-handshake counterkeys (as above, and you most probably do for adding any sort of realistic post-quantum capabilities[2]), this looks real handy for mixing those in. [1] Any server-side key that isn't explicitly sent as part of the hand- shake (most probably having been sent before in prior handshake) but still is involved in the handshake. [2] There does exist PQ Key Agreement, but it currently just provoded by one system that is relatively slow (through not completely impractical) and severly underanalyzed (major problem). -Ilari
- [TLS] Key Schedule (PRs #453, #454). Eric Rescorla
- Re: [TLS] Key Schedule (PRs #453, #454). Ilari Liusvaara
- Re: [TLS] Key Schedule (PRs #453, #454). Eric Rescorla
- Re: [TLS] Key Schedule (PRs #453, #454). Ilari Liusvaara
- Re: [TLS] Key Schedule (PRs #453, #454). Eric Rescorla
- Re: [TLS] Key Schedule (PRs #453, #454). Ilari Liusvaara
- Re: [TLS] Key Schedule (PRs #453, #454). Eric Rescorla
- Re: [TLS] Key Schedule (PRs #453, #454). Martin Thomson
- Re: [TLS] Key Schedule (PRs #453, #454). Eric Rescorla