[TLS] IETF TLS WG <tls@ietf.org>
=JeffH <Jeff.Hodges@KingsMountain.com> Wed, 24 February 2016 21:00 UTC
Return-Path: <Jeff.Hodges@kingsmountain.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89EAF1B2DB2 for <tls@ietfa.amsl.com>; Wed, 24 Feb 2016 13:00:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.667
X-Spam-Level:
X-Spam-Status: No, score=-101.667 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iMrbmPLCiM6o for <tls@ietfa.amsl.com>; Wed, 24 Feb 2016 13:00:46 -0800 (PST)
Received: from gproxy2-pub.mail.unifiedlayer.com (gproxy2-pub.mail.unifiedlayer.com [69.89.18.3]) by ietfa.amsl.com (Postfix) with SMTP id 7A4021B3F40 for <tls@ietf.org>; Wed, 24 Feb 2016 13:00:46 -0800 (PST)
Received: (qmail 16300 invoked by uid 0); 24 Feb 2016 21:00:46 -0000
Received: from unknown (HELO cmgw2) (10.0.90.83) by gproxy2.mail.unifiedlayer.com with SMTP; 24 Feb 2016 21:00:46 -0000
Received: from box514.bluehost.com ([74.220.219.114]) by cmgw2 with id NM0g1s01P2UhLwi01M0j3q; Wed, 24 Feb 2016 14:00:44 -0700
X-Authority-Analysis: v=2.1 cv=PPOcp5aC c=1 sm=1 tr=0 a=9W6Fsu4pMcyimqnCr1W0/w==:117 a=9W6Fsu4pMcyimqnCr1W0/w==:17 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10 a=48vgC7mUAAAA:8 a=IkcTkHD0fZMA:10 a=XYUc-DgfXtMA:10 a=o8x0CelELPUA:10 a=jFJIQSaiL_oA:10 a=WlxsqyjbAAAA:8 a=UqCG9HQmAAAA:8 a=yMhMjlubAAAA:8 a=YQ246BAETzN11YYJCgwA:9 a=WcVKV2y--jPWfSvT:21 a=FOOxSty1iXvg7TnK:21 a=QEXdDO2ut3YA:10
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Date:Message-ID:Cc:Subject:From:To; bh=NpS/gybR4StDbTia6keIY2w7hUtc91HggS7wBHyUf2Y=; b=Tdt5CZDsIIRhCaCJdZz4Kyjs2iCrGM+ymSOU+YGhSV0aWhS1pPRgadE6eK9eLXS4CXSIawlDu6BFclpBTIdz16ARlzbSNB5R2s0x7kIi+Om2qQD/cRxn5I8ziJ1M4cq0;
Received: from [70.213.12.105] (port=6577 helo=[10.0.0.1]) by box514.bluehost.com with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.84) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1aYgY6-0002hO-IX; Wed, 24 Feb 2016 14:00:42 -0700
To: Andrei Popov <Andrei.Popov@microsoft.com>
From: =JeffH <Jeff.Hodges@KingsMountain.com>
Message-ID: <56CE19F5.2050101@KingsMountain.com>
Date: Wed, 24 Feb 2016 13:00:37 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 70.213.12.105 authed with jeff.hodges+kingsmountain.com}
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/NZF89HjqdSD5rueAu1rPxtlb9wA>
Cc: IETF TLS WG <tls@ietf.org>
Subject: [TLS] IETF TLS WG <tls@ietf.org>
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2016 21:00:48 -0000
> Tls13-11 I-D is not very clear on this, but my reading is that > exporter_secret is the TLS 1.3 version of the Keying Material Exporters. > If this is correct, then there are two pieces currently missing: the > ability to specify a custom label and the ability to mix in application > context. I don't know where this should live; perhaps RFC 5705 will need > to be updated once TLS 1.3 is sufficiently baked. > > I also presume that exporter_secret (or a similar construction defined > in the updated RFC 5705) will become the recommended replacement for > tls-unique. The 1.3 key schedule appears to be under discussion, so > things might change. Thanks Andrei, the above confirms my own assessment/suspicions. =JeffH > -----Original Message----- > From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of =JeffH > Sent: Tuesday, February 23, 2016 4:31 PM > To: Ilari Liusvaara <ilariliusvaara@welho.com> > Cc: IETF TLS WG <tls@ietf.org> > Subject: Re: [TLS] RFC5705 Keying Material Exporters for TLS -- not applicable to TLS 1.3 ? > > Hi Ilari, > > Ilari replied on Wed, 17 Feb 2016: > > On Wed, Feb 17, 2016 at 11:25:12AM -0800, =JeffH wrote: > >> Hi, > >> > >> RFC5705 section 4 "Exporter Definition" [1] states.. > >> > >> The exporter takes three input values: > >> > >> o a disambiguating label string, > >> > >> o a per-association context value provided by the application using > >> the exporter, and > >> > >> o a length value. > >> > >> If no context is provided, it then computes: > >> > >> PRF(... > >> )[length] > >> > >> If context is provided, it computes: > >> > >> PRF(... > >> )[length] > >> > >> > >> ..i.e., RFC5705 directly utilizes the TLS PRF (pseudo-random function) >> from TLS {1.0, 1.1, 1.3}. Since the PRF() is no longer defined in TLS >> 1.3, RFC5705 is incompatible with TLS 1.3, yes? > > [...the above question remains unanswered...] > > >> > >> Also, draft-ietf-tls-tls13-11 seems to contain a built-in keying material >> exporter (KME) in S 7.1 step 8 [2].. > >> > >> 7.1. Key Schedule > >> > >> [...] > >> > >> 8. exporter_secret = HKDF-Expand-Label(master_secret, > >> "exporter master secret", > >> handshake_hash, L) > >> [...] > >> > >> > >> ..i.e., does the above step "8." effectively define the TLS 1.3 keying >> material exporter? > >> > > > > Well, it isn't clear to me what TLS 1.3 exporters should do. Presumably > the "master secret" used for calculations is exporter_secret. > > agreed -- that is what is being referred to in various msgs on the list as "EMS" (exporter master secret?) ? > > > > However, just replacing the PRF in definition with the standard TLS 1.3 > > PRF (HKDF) would leave those exporters using randoms, which aren't > > explicitly used anywhere in TLS 1.3. > > hm, I'm not sure I understand. > > back on 8-Oct you mused on the below [1].. > > One idea for TLS-unique for TLS 1.3: Invoke TLS-EXPORTER with: > > label: "TLS 1.3 tls-unqiue" > context: No context > Length: 256 > > And define TLS-EXPORTER for TLS 1.3 as (this looks ugly, have some > better way at handling both context and no context cases? In original > RFC, those were different): > > tmp = HKDF-Extract(label, exporter_secret) > output = HKDF-Expand(tmp, 0x01 | context, L) > > or (no context case) > > tmp = HKDF-Extract(label, exporter_secret) > output = HKDF-Expand(tmp, <blank>, L) > > > ..where "output" would apparently be the Exported Keying Material value, > which seems plausible (modulo refining the Label). So I'm not sure > where/what you meant by "using randoms" above... exporter_secret is not a > "random", yes? > > =JeffH > > [1] https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmail-archive%2fweb%2ftls%2fcurrent%2fmsg17924.html&data=01%7c01%7cAndrei.Popov%40microsoft.com%7c92109063b8904679be8f08d33cb1d6b8%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=8kyi1lG2n6i4M40Uo2p%2bwA%2fi7in%2by1TcgiZcwZbXiIY%3d > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2ftls&data=01%7c01%7cAndrei.Popov%40microsoft.com%7c92109063b8904679be8f08d33cb1d6b8%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=24nM3SyRy4yzg3lznrwYx5ECzf3ZkJqkRcYWQwlJn20%3d > >