[TLS] Key Hierarchy

Eric Rescorla <ekr@rtfm.com> Sun, 20 September 2015 23:58 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 3264C1B2C3E for <tls@ietfa.amsl.com>; Sun, 20 Sep 2015 16:58:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.078
X-Spam-Status: No, score=-0.078 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Jvf9wxiWS7_I for <tls@ietfa.amsl.com>; Sun, 20 Sep 2015 16:58:53 -0700 (PDT)
Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2150B1B2C3F for <tls@ietf.org>; Sun, 20 Sep 2015 16:58:53 -0700 (PDT)
Received: by wiclk2 with SMTP id lk2so90309325wic.1 for <tls@ietf.org>; Sun, 20 Sep 2015 16:58:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=jFePYVxAVPW/DEmHqSorppnl0Loz9nkztoYh5h5NDMY=; b=KSm+mITZQ7OKk20UmdAYnOsfTubDkodkqUUS86mimS6b558UaW8XvN0RjsbYSUMxYA EJXHbrUgFs16PiCFgh4qGO27mKW/ZZAD6QdaookS0zn8FrUueU9mUD/cqatucNs+mhQz WhkxzG2wgwg0bfUPsSmuQtoCd3i3HbFge5O5mS0WEaGhTMO1dKT/SVX2C5WwhPIiCi8b /Xzg4WgQHsMd4gBcii211KwULpXl+fnyFI0qPS2E2m8HcsQLFwjrzlMGf3JCmMhTsx0A 1gsXWsXybMUzo1M1ioE2AZQ+4/KNVLw0xutwLEJmGjM7cZtEfQr48QgMvwb9Df+zmPSK ygPQ==
X-Gm-Message-State: ALoCoQmxsjf7m35AVrMV9Vd+BZMR3tLLSyaoMNWRy2klLxowZ0lrk/9UqMVC/WT9QGbwpvknHuNS
X-Received: by with SMTP id ew9mr11001561wic.53.1442793531665; Sun, 20 Sep 2015 16:58:51 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Sun, 20 Sep 2015 16:58:12 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 20 Sep 2015 16:58:12 -0700
Message-ID: <CABcZeBPQ6VhFPzXLKcoSYHCE9E6j19W3yR0B5MjzS4bV99wATA@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c384c4f084670520368b7d"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/IWoaklSBqo4wZ-2zDyhNSDHUZbg>
Subject: [TLS] Key Hierarchy
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Sep 2015 23:58:57 -0000



Hugo Krawczyk, Hoeteck Wee, and Bjorn Tackmann suggested a revision
to the key hierarchy that separates out the computation of the MS from the
computation of the keys that are derived from ES and SS. Specifically,
xES and xES are to be used to derive their respective traffic keys and
intermediate values mES and mES which are then used with HKDF-Extract
to generate MS.

Aside from some analytic advantages, this also allows us to use
the HKDF-Extract and HKDF-Expand APIs from RFC 5869 which is
convenient (it's also compatible with all-in-one HKDF APIs).

The PR is at:

I think this is a good change, but comments welcome.