Re: [TLS] RFC5487 PSK Key Exchange Algorithm with SHA-256/384. Premaster secret if ciphersuites negotiated for TLS V1.2?
Manuel Pégourié-Gonnard <mpg@polarssl.org> Sun, 19 October 2014 09:37 UTC
Return-Path: <mpg@polarssl.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9F1A1A00B0 for <tls@ietfa.amsl.com>; Sun, 19 Oct 2014 02:37:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.397
X-Spam-Level:
X-Spam-Status: No, score=0.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_EQ_NL=1.545, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1zcZe5boGDJS for <tls@ietfa.amsl.com>; Sun, 19 Oct 2014 02:37:56 -0700 (PDT)
Received: from vps2.offspark.com (vps2.brainspark.nl [141.138.204.106]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56E701A00AD for <tls@ietf.org>; Sun, 19 Oct 2014 02:37:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=polarssl.org; s=exim; h=Subject:Content-Transfer-Encoding:Content-Type:In-Reply-To:References:To:MIME-Version:From:Date:Message-ID; bh=/lNOYFYZ1nwyMbT4Mo8/F50kUs7yuTyJIGKsU74aFeo=; b=JEAbP6WSlOCWWxnkNk1cMIO4llQuabgbojCx9/t+IpsNo6PeKItbGxKvZmSsp2TjVdWejF0znrR/Ak+iwazJ1Q5Eyb/F5YANnYfSGORLPslcDImdBhZUdkGj+hLDG48LvWeGQuF0wtrAqD4tko+2T80jO5K8fXsI2YTIcQ4klv0=;
Received: from thue.elzevir.fr ([88.165.216.11] helo=[192.168.0.124]) by vps2.offspark.com with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mpg@polarssl.org>) id 1Xfmvu-0001lP-B7; Sun, 19 Oct 2014 11:37:50 +0200
Message-ID: <54438671.8060806@polarssl.org>
Date: Sun, 19 Oct 2014 11:37:53 +0200
From: Manuel Pégourié-Gonnard <mpg@polarssl.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Fox Arcadia <enricarcediano@gmail.com>, tls@ietf.org
References: <CAOrsqC0AeU-yDRY2ZRXqcS_X1=+ZNuWiSAjJmFUW4WAnM1JZ0w@mail.gmail.com>
In-Reply-To: <CAOrsqC0AeU-yDRY2ZRXqcS_X1=+ZNuWiSAjJmFUW4WAnM1JZ0w@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-SA-Exim-Connect-IP: 88.165.216.11
X-SA-Exim-Mail-From: mpg@polarssl.org
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on vps2.offspark.com)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/NlzJXknB2mBVlm-_u0tpfYTi3C4
Subject: Re: [TLS] RFC5487 PSK Key Exchange Algorithm with SHA-256/384. Premaster secret if ciphersuites negotiated for TLS V1.2?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Oct 2014 09:37:57 -0000
Hi, Sorry for replying so late, I hope this reply is still useful. On 20/09/2014 09:51, Fox Arcadia wrote: > Note 2: Using zeroes for "other_secret" effectively means that > only the HMAC-SHA1 part (but not the HMAC-MD5 part) of the TLS PRF > is used when constructing the master secret. This was considered > more elegant from an analytical viewpoint than, for instance, > using the same key for both the HMAC-MD5 and HMAC-SHA1 parts. See > [KRAWCZYK <http://tools.ietf.org/html/rfc4279#ref-KRAWCZYK>] for > a more detailed rationale. > IMO, this is only a rationale for using the zeroes, not a normative part. > but if using a PRF defined in TLS V1.2, then HMAC-MD5 is not used but > the HMAC defined by the PRF. > > And, in that case, part of the used premaster is zeroes. > Yes, in that case part of the PMS is zeroes, and it's fed to the TLS PRF (using SHA256) as is, including the zeroes. At least, that's what we do in PolarSSL and we never had interop issues (tested regularly with OpenSSL and GnuTLS at least). > should we in that case reuse PSK for other_secret? > Nope. Manuel.
- [TLS] RFC5487 PSK Key Exchange Algorithm with SHA… Fox Arcadia
- Re: [TLS] RFC5487 PSK Key Exchange Algorithm with… Manuel Pégourié-Gonnard
- Re: [TLS] RFC5487 PSK Key Exchange Algorithm with… Fox Arcadia
- Re: [TLS] RFC5487 PSK Key Exchange Algorithm with… Salz, Rich