Re: [TLS] confirming the room’s consensus: adopt HKDF PRF for TLS 1.3

Sean Turner <turners@ieca.com> Wed, 17 June 2015 19:03 UTC

Return-Path: <turners@ieca.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB2011B2D32 for <tls@ietfa.amsl.com>; Wed, 17 Jun 2015 12:03:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.632
X-Spam-Level:
X-Spam-Status: No, score=0.632 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, IP_NOT_FRIENDLY=0.334, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I9Z8zjuOVYOf for <tls@ietfa.amsl.com>; Wed, 17 Jun 2015 12:03:16 -0700 (PDT)
Received: from gateway08.websitewelcome.com (gateway08.websitewelcome.com [69.41.242.28]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FE1D1B2D35 for <tls@ietf.org>; Wed, 17 Jun 2015 12:03:16 -0700 (PDT)
Received: by gateway08.websitewelcome.com (Postfix, from userid 5007) id AAA2074A5FDD3; Wed, 17 Jun 2015 14:03:15 -0500 (CDT)
Received: from gator3286.hostgator.com (gator3286.hostgator.com [198.57.247.250]) by gateway08.websitewelcome.com (Postfix) with ESMTP id 94EFF74A5FD85 for <tls@ietf.org>; Wed, 17 Jun 2015 14:03:15 -0500 (CDT)
Received: from [96.231.223.98] (port=58702 helo=[172.16.0.112]) by gator3286.hostgator.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.82) (envelope-from <turners@ieca.com>) id 1Z5IcF-0001U2-33 for tls@ietf.org; Wed, 17 Jun 2015 14:03:15 -0500
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Sean Turner <turners@ieca.com>
In-Reply-To: <4A5C6D8F-6A28-4374-AF1F-3B202738FB1D@ieca.com>
Date: Wed, 17 Jun 2015 15:03:13 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <5EB44559-367E-4173-833D-69E806D33587@ieca.com>
References: <4A5C6D8F-6A28-4374-AF1F-3B202738FB1D@ieca.com>
To: "<tls@ietf.org>" <tls@ietf.org>
X-Mailer: Apple Mail (2.1878.6)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator3286.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source-IP: 96.231.223.98
X-Exim-ID: 1Z5IcF-0001U2-33
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: ([172.16.0.112]) [96.231.223.98]:58702
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 1
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IzMjg2Lmhvc3RnYXRvci5jb20=
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/QmeW2UPQ7r4yMgLfW59j0EIANIo>
Subject: Re: [TLS] =?windows-1252?q?confirming_the_room=92s_consensus=3A_adopt?= =?windows-1252?q?_HKDF_PRF_for_TLS_1=2E3?=
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jun 2015 19:03:18 -0000

All,

The consensus of the WG is to replace the current TLS PRF with an HKDF PRF.  Being more specific (and using Brian’s wording), the TLS 1.3 will use an HKDF-Extract, then HKDF-Expand, with suitable parameters, as recommended in RFC5869, to build the keyblock that will be partitioned into keys.  The TLS extractor will also use HKDF in a similar way for new versions of TLS.

WRT the downref issue, this seems entirely procedural and can be dealt with during the WG/IETF LCs; we’ll call it out in our WGLC,  get our AD to do it during the IETF LC per the procedures in RFC 3967, and assuming consensus is reached we can normatively refer to an informational RFC.

WRT msj’s technical comments about including the length L of the output key material to the info string, it seems like we are free to do so if we choose to.  I want to avoid having a consensus call on every issue so if somebody is really against adding the length L of the output key material to the info string - please start a thread and say why not.

spt

On Apr 01, 2015, at 14:00, Sean Turner <turners@ieca.com> wrote:

> This message is to confirm the consensus reached @ the IETF 92 TLS session in Dallas and at the TLS Interim in Seattle to make the TLS 1.3 PRF be an HKDF-based PRF (see http://datatracker.ietf.org/doc/rfc5869/?include_text=1).
> 
> Please indicate whether or not you agree with the consensus by 2015-04-17.  If not, please indicate why.  Also, please note that we’re interested in uncovering new issues not rehashing issues already discussed.
> 
> Thanks - J&S