IETF Logo Mail Archive

Re: [TLS] HSM-friendly Key Computation

Michael StJohns <msj@nthpermutation.com> Thu, 23 April 2015 17:03 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99FC31ACD08 for <tls@ietfa.amsl.com>; Thu, 23 Apr 2015 10:03:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OWqaJ8dSlUgS for <tls@ietfa.amsl.com>; Thu, 23 Apr 2015 10:03:53 -0700 (PDT)
Received: from mail-pd0-f176.google.com (mail-pd0-f176.google.com [209.85.192.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B36B1ACD81 for <tls@ietf.org>; Thu, 23 Apr 2015 10:03:41 -0700 (PDT)
Received: by pdea3 with SMTP id a3so23425425pde.3 for <tls@ietf.org>; Thu, 23 Apr 2015 10:03:41 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=CSoyLZvBEJ1Oe70wWrRzdMyCXFNFzMZesklAmdxpbfU=; b=O43wIgGpYkRabahelxbj4fuHwHgp26YbMO2oPj54KtLtkhVJC1xzi9jRP7gJEtNiIx uYYGUJCrFhsD2UiefyHZVxjsBkomeP2kH6QFY3XjyjtMu+Zg9Blm3O4GYKiesunKqdUD aI1WWKxImXgxhJEx/+BfUDnBgen0Xkv5EBpKfqWzZYfL26ZvGITInBjc+mdPh2CPoRmQ KHY+oupLDwbEaDYCq/zwcpVmptk8h6iU4hvJgqNeD0u8h6WzTbnDurlOkJsFuVFlAYmK NEOTji1mTJuTVOJ+o6Ip8GW+u2jdviQWKUOGq2gQ/RiGtoqwkAm1rFTMl5P3z/2oCEcj KfkA==
X-Gm-Message-State: ALoCoQk4aD3F3MZZyVaiN1UyIDfmnpK0IcYU49bLdc1oW/4/MFak/O4SB3lv186l/vKNIYog6FO5
X-Received: by 10.68.212.41 with SMTP id nh9mr6958370pbc.166.1429808621101; Thu, 23 Apr 2015 10:03:41 -0700 (PDT)
Received: from [10.90.197.114] (soi.silverspringnet.com. [74.121.22.10]) by mx.google.com with ESMTPSA id oh2sm8585063pbb.45.2015.04.23.10.03.40 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 23 Apr 2015 10:03:40 -0700 (PDT)
Message-ID: <553925F7.5010704@nthpermutation.com>
Date: Thu, 23 Apr 2015 13:03:51 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Eric Rescorla <ekr@rtfm.com>
References: <0694C3DB-FB87-42A2-BCC4-CC0F761E9A03@vigilsec.com> <9A043F3CF02CD34C8E74AC1594475C73AB000B0C@uxcn10-tdc05.UoA.auckland.ac.nz> <5533F8D6.9070500@nthpermutation.com> <20150420064243.GA7322@LK-Perkele-VII> <CANeU+ZAL6oT6tP7OcL_8j6kp4oZB9V89R-0PrCdv-N27qVb0HQ@mail.gmail.com> <20150420163755.GA15511@LK-Perkele-VII> <5537D43A.9080802@REDHAT.COM> <20150422173526.GA14496@LK-Perkele-VII> <CABcZeBPN33DM_C0sAmCTFCTdNrcQ7y7eEBcZgPe+2f1EaxtXzA@mail.gmail.com> <55381302.5030307@nthpermutation.com> <CABcZeBN1W-KyNnPd9qU9dFP3dG8E=F1hOyK1NoeH-tsQT8XrFw@mail.gmail.com>
In-Reply-To: <CABcZeBN1W-KyNnPd9qU9dFP3dG8E=F1hOyK1NoeH-tsQT8XrFw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------000204050604020601070708"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/O1RNONVircHVQMyEGRkbhpsKoJM>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] HSM-friendly Key Computation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Apr 2015 17:03:55 -0000

On 4/22/2015 7:03 PM, Eric Rescorla wrote:
>
>
> On Wed, Apr 22, 2015 at 5:30 PM, Michael StJohns 
> <msj@nthpermutation.com <mailto:msj@nthpermutation.com>> wrote:
>
>     On 4/22/2015 1:37 PM, Eric Rescorla wrote:
>>     If we're using HKDF-Extract, can we just key off different labels?
>>
>>     -Ekr
>
>
> Sorry, read that as "HKD-Expand".
Actually, use HKDF as the term with no expand or extract suffix.

Mike



>
> -Ekr
>
>
>     Basically, no.
>
>     The Extract function is really not designed to be used standalone
>     but as a way of concentrating entropy for input to the expansion
>     phase.  Its dangerous to talk of these functions as separately
>     callable.  They are steps not separate functions.
>
>      The extract step's only non-key input - salt - is not the same as
>     the "info" input used in the expand phase - 'salt' is supposed to
>     be missing or random,  not a fixed string like a label.
>
>     "info" is where the various labels go and that's only present in
>     the expand phase.
>
>
>     What you want to do is specify as part of the mixins (e.g. 'info'
>     - e.g. the collection of label and context)  a set of fields that
>     describe 1) how the key stream is going to be broken up (eg.
>     lengths of the sub keys), 2) what algorithms will use each of the
>     parts of the key stream, and 3) whether or not those parts are
>     allowed to be exported/extracted.
>
>     A software module will basically ignore these because - really -
>     its all the same memory although it should really make sure the
>     key lengths and types matc.  An HSM will look at these and be able
>     to make policy decisions for protection of the segments (e.g.
>     preventing export of material that was created to be non-exportable).
>
>     Having all of these in the mixins means that the key stream
>     expansion completely changes if ANY of these mixins change which
>     in turn means  that the various ways you can use to extract truly
>     secret key material (as differentiated from exportable material)
>     from an HSM using the currently defined mechanism can be
>     eliminated.  (I can explain my reasoning if necessary).
>
>
>     Mike
>
>
>
>>
>>     On Wed, Apr 22, 2015 at 1:35 PM, Ilari Liusvaara
>>     <ilari.liusvaara@elisanet.fi
>>     <mailto:ilari.liusvaara@elisanet.fi>> wrote:
>>
>>         On Wed, Apr 22, 2015 at 10:02:50AM -0700, Robert Relyea wrote:
>>         > On 04/20/2015 09:37 AM, Ilari Liusvaara wrote:
>>         > >
>>         > >There are other places in TLS that fundamentally need to (indirectly) derive
>>         > >public data out of secret key material.
>>         > That's not a a problem. The problem is using the same
>>         mechanism to derive
>>         > the public data that we use to derive the keys.
>>         > It's even OK to use the same secret key for both (from an
>>         HSM POV).
>>         >
>>         > What Michael is saying is that there are existing functions
>>         for both KDF
>>         > (secret material -> key) and Mac (secret material-> unique
>>         public data).
>>         > He's requesting that TLS not have it's own versions of
>>         these functions.
>>
>>         So would using two different PRF functions, one for parts
>>         that don't
>>         downgrade and another for parts that do downgrade (e.g. IV
>>         derivation,
>>         unique / finished calculations, exporter calculations, etc..)
>>         solve the
>>         issue?
>>
>>         (Of course, the two functions should be closely related, so
>>         not to
>>         annoy software implementations too much)...
>>
>>
>>         -Ilari
>>
>>         _______________________________________________
>>         TLS mailing list
>>         TLS@ietf.org <mailto:TLS@ietf.org>
>>         https://www.ietf.org/mailman/listinfo/tls
>>
>>
>>
>>
>>     _______________________________________________
>>     TLS mailing list
>>     TLS@ietf.org  <mailto:TLS@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/tls
>
>
>     _______________________________________________
>     TLS mailing list
>     TLS@ietf.org <mailto:TLS@ietf.org>
>     https://www.ietf.org/mailman/listinfo/tls
>
>

v2.23.0 | Report a Bug | By Email