Re: [TLS] HKDF
Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Wed, 25 March 2015 17:15 UTC
Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D96411A904E for <tls@ietfa.amsl.com>; Wed, 25 Mar 2015 10:15:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0XYHWdcZarNj for <tls@ietfa.amsl.com>; Wed, 25 Mar 2015 10:15:40 -0700 (PDT)
Received: from emh02.mail.saunalahti.fi (emh02.mail.saunalahti.fi [62.142.5.108]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D57EA1A9043 for <tls@ietf.org>; Wed, 25 Mar 2015 10:15:34 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh02.mail.saunalahti.fi (Postfix) with ESMTP id 2618281820; Wed, 25 Mar 2015 19:15:31 +0200 (EET)
Date: Wed, 25 Mar 2015 19:15:31 +0200
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Hugo Krawczyk <hugo@ee.technion.ac.il>
Message-ID: <20150325171531.GA26949@LK-Perkele-VII>
References: <CABcZeBPa3j+EfMkPik7r5G-qcBpYkXTFWwYwuCeE38mFjUwpJw@mail.gmail.com> <7FA320AE-B9C2-412D-B84B-DB4CAB05B325@gmail.com> <5510FDC8.1060702@brainhub.org> <358E3F82-0777-42A1-AA75-F31AA3C2103B@gmail.com> <20150324121632.GA28552@LK-Perkele-VII> <CAKUk3buuP+=AA0kLF9VodASVfQSYGZq016sqcbe8eoNJRKZxGA@mail.gmail.com> <CADi0yUPG7Ac_V69__M1gQd_8fkaj=0-HEz=oL1mzTSjQjhJrBw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CADi0yUPG7Ac_V69__M1gQd_8fkaj=0-HEz=oL1mzTSjQjhJrBw@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/I_OYC5mO_LtPoFGG143DTdAcV_k>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] HKDF
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2015 17:15:43 -0000
On Wed, Mar 25, 2015 at 11:21:38AM -0400, Hugo Krawczyk wrote: > On Wed, Mar 25, 2015 at 11:02 AM, Andrey Jivsov <crypto@brainhub.org> wrote: > > > A problem with this is additional options. > > > > What are the additional options? > > You use the defined hash function. > > > There is no problem with HKDF that I see other than it relaxes assumptions > > on hash functions, > > > Relaxing assumptions is not a problem but rather a good thing: It means > that you need to assume less from the hash function, e.g. not having a > scheme broken if collisions are found on that function. TLS 1.3 already assumes prf-hash is collision-resistant. Changing this is incredibly hard, requiring extreme effort. You would need incredibly broad security proofs. > > HKDF is probably viewed as an insurance. Please note that the benefits > > will be bound by the "ad-hoc" methods to process entropy into private keys. > > That's true, but these ad-hoc methods have a better analytical basis than > just using non-uniform keys to key directly a PRF. I'm not seeing how you can have any sort of adversarial input fed to TLS PRF without having much more serious problems. Prf-hash on the other hand needs to take full burnt of adversarial input, with no strengthening at all. > > One idea for meaningful reduction of complexity in TLS is if we could > > switch to cipher-based KDF. > > > That's for the WG to decide but the results we have for the extraction > properties of block-cipher based PRFs are much weaker. Because you need a CR hash function anyway, you can't reduce complexity that way. -Ilari
- [TLS] HKDF Eric Rescorla
- Re: [TLS] HKDF Dave Garrett
- Re: [TLS] HKDF Yoav Nir
- Re: [TLS] HKDF Andrey Jivsov
- Re: [TLS] HKDF Yoav Nir
- Re: [TLS] HKDF Ilari Liusvaara
- Re: [TLS] HKDF Hugo Krawczyk
- Re: [TLS] HKDF Andrey Jivsov
- Re: [TLS] HKDF Andrey Jivsov
- Re: [TLS] HKDF Hugo Krawczyk
- Re: [TLS] HKDF Nikos Mavrogiannopoulos
- Re: [TLS] HKDF Ilari Liusvaara
- Re: [TLS] HKDF Brian Smith
- Re: [TLS] HKDF Eric Rescorla
- Re: [TLS] HKDF Hugo Krawczyk
- Re: [TLS] HKDF Brian Smith
- Re: [TLS] HKDF Ilari Liusvaara
- Re: [TLS] HKDF Ilari Liusvaara
- Re: [TLS] HKDF Michael StJohns
- Re: [TLS] HKDF Michael StJohns
- Re: [TLS] HKDF Ilari Liusvaara
- Re: [TLS] HKDF Richard Moore
- Re: [TLS] HKDF Watson Ladd