Re: [TLS] Binding imported PSKs to KDFs rather than hash functions

"Martin Thomson" <> Tue, 17 September 2019 02:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8ED901200D7 for <>; Mon, 16 Sep 2019 19:19:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key) header.b=ET6hDpAg; dkim=pass (2048-bit key) header.b=Ckr82G04
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id te8N2d0U2Lj0 for <>; Mon, 16 Sep 2019 19:19:19 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 92D4A120018 for <>; Mon, 16 Sep 2019 19:19:19 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal []) by mailout.west.internal (Postfix) with ESMTP id C55B3678 for <>; Mon, 16 Sep 2019 22:19:18 -0400 (EDT)
Received: from imap2 ([]) by compute1.internal (MEProxy); Mon, 16 Sep 2019 22:19:18 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm3; bh=L5TT0GMumFE2EWjeAtWyzRq/BlsE9w+ h5eeRWcbZPJM=; b=ET6hDpAgwE8MI0F5YNESjeJkMfaCpiI45teo4ChT5M3Zi5i CbSEJazYuWs2qiCA9HIYVN/LjMowxPTofYXtdY5+kQDtx4TbDnId7nRforSwn7ht FqP482ZrTRS6A6q3IbI/JUFdo00wv/iayrYRVzSOmZxBcrvpRvjxlZj8bvRJYiEj C6mQUPX9xBtphCAYUrwFLB4ME1sx3OFh1Wyl86sh9cNewjjCLNghP8oqoAdNZ+Cy BsR+t1PVzWdM+4RBwfhh4dE/vYM+crIW78ramC3J4iVdkr3OfK8Wc4m8w6ZNYpnu 17pG/UroFtpA9sd/okmhBZ2doiNIR4vGawaonEA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=L5TT0G MumFE2EWjeAtWyzRq/BlsE9w+h5eeRWcbZPJM=; b=Ckr82G04o5CfJTnO1xW7Fd 9qyAA0s+z3Rjs3rHZiURQBrfGDrrmjx8YJpNm5vHicDdHrynAxbU1VOMRbCtObIm gS+TueT969g9PJ4uUIlmUk/AvAAudQAz3TCk4RkpQQCivgOTKKJCSmvmHWf7lbBZ 0t/MRz6nFmMlMr3CImnfodpKPq1ViBNmNJ4BasEIJHSUr7TpwOqoi+hEFY+MFOYQ r6Bm1BbGWlvIWv1rEoR4xyLh5/3mrWHsQWjUEfsnFNbrZou3YAl/E3uVgCNPPzK2 Or3c+DCgIgef5lhB0+gYjwUr8mRdP4sq+WwEsjq/jn/TkovATH2fbEeQAOmayFeg ==
X-ME-Sender: <xms:pkKAXc3XG-KvLttTH5za5xClp6ILI37kTgK0RiMhil6Q8bqL_ixPqA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrudeggdehlecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreertdenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehlohif vghnthhrohhphidrnhgvtheqnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofi gvnhhtrhhophihrdhnvghtnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:pkKAXbUF3qFUFfTq3odcpw6fsqNJ9W_ogKaxbtRpNkd7R0f7Ym__Ng> <xmx:pkKAXf74L18AN_eaihis_To5GKy-MpM5Pp5F8yoo7ZgDmWqZKbI-xw> <xmx:pkKAXaJBSH5vaxiWLcvhObOrmMzVa6Ck2sYma0wORQs6r8ySXwkk0A> <xmx:pkKAXT_qRc6yZ5vZcC-wt7iKOyqLxtD1Y88iGkH1welgAFaRakz8ww>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 0C076E00A9; Mon, 16 Sep 2019 22:19:18 -0400 (EDT)
X-Mailer: Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-237-gf35468d-fmstable-20190912v1
Mime-Version: 1.0
Message-Id: <>
In-Reply-To: <>
References: <> <>
Date: Tue, 17 Sep 2019 12:18:58 +1000
From: Martin Thomson <>
Content-Type: text/plain
Archived-At: <>
Subject: Re: [TLS] Binding imported PSKs to KDFs rather than hash functions
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 17 Sep 2019 02:19:20 -0000

On Tue, Sep 17, 2019, at 11:26, Martin Thomson wrote:
> What we learned from TLS 1.3 is that HKDF is effectively a completely 
> different KDF when it is used with a different hash function.

Hugo points out that I should clarify this to add:

One should not use HKDF with two hash functions (or more generally two KDF functions) and the same IKM. The same way as you should not use two different cryptographic functions with the same key.

This is an idea that this draft exists to support, so it needs to be very careful about how it does the same itself.