Re: [TLS] confirming the room’s consensus: adopt HKDF PRF for TLS 1.3

Michael StJohns <msj@nthpermutation.com> Mon, 27 April 2015 00:01 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FC461ACEED for <tls@ietfa.amsl.com>; Sun, 26 Apr 2015 17:01:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k5K2Pj1BRF1E for <tls@ietfa.amsl.com>; Sun, 26 Apr 2015 17:01:50 -0700 (PDT)
Received: from mail-vn0-f52.google.com (mail-vn0-f52.google.com [209.85.216.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2A911ACEFB for <tls@ietf.org>; Sun, 26 Apr 2015 17:01:50 -0700 (PDT)
Received: by vnbf190 with SMTP id f190so10033498vnb.1 for <tls@ietf.org>; Sun, 26 Apr 2015 17:01:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=+OQtW2mClIf2p5CXmETXXLRr6jC9TukacvFH90KxHwM=; b=CzMxwuO8nro7a8fKJj2EMwLjgvBhTcuSLUkVjkoYb6zVUh8WryVH3uTaHEyvH0onaa 2wlMpXNFGfPqAiYoVcy/D9jCIjLwjU1enn4urW027RT4jkdrG6tBDZaYd+O0BxmOfpe9 T4fqPFsNZG+D70SKdAk3LApTFKlJ9ZxLP4X7WeTnnztaOVAVShVgT1xzOMq2lwqdUiEg SU/wTTP1Gcf41QY3UzsECJoTduhXc0kMlZk16XqPYE5bGveBGoCHVUTCim+FnOki9ems I6qIUj9VTmjuaqEYatyB+EOkVRcdMI9rZONvJYx+k3BkZPR2Dt6Z00W8YcSRDGmBBtrO h6XA==
X-Gm-Message-State: ALoCoQnmtztBk7/WdrkaW8kMLzfu8xGWGFGV/0HPr8GXJA9/z2tZ+k/kxY5F06QrvyQDZjs15NfJ
X-Received: by 10.52.240.14 with SMTP id vw14mr21599836vdc.29.1430092910012; Sun, 26 Apr 2015 17:01:50 -0700 (PDT)
Received: from ?IPv6:2601:a:2a00:84:cae:d6cf:19b5:13bc? ([2601:a:2a00:84:cae:d6cf:19b5:13bc]) by mx.google.com with ESMTPSA id mk16sm21456013vdb.12.2015.04.26.17.01.49 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 26 Apr 2015 17:01:49 -0700 (PDT)
Message-ID: <553D7C6C.7010903@nthpermutation.com>
Date: Sun, 26 Apr 2015 20:01:48 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Hugo Krawczyk <hugo@ee.technion.ac.il>
References: <4A5C6D8F-6A28-4374-AF1F-3B202738FB1D@ieca.com> <551DDD4E.5070509@nthpermutation.com> <F7F3EB83-FEA2-477C-8810-38C49B71C977@ieca.com> <551E290D.7020207@nthpermutation.com> <55381768.8010402@nthpermutation.com> <CACsn0cm5A50dP4JDKq9R0XdB83hyzPPLQHAMnUcXFb+DCSwV7g@mail.gmail.com> <55392B08.6020304@nthpermutation.com> <CADi0yUPTixoesXkgd=HYe_+ua_+=_UfcDBSndCgdh1usTzNpzQ@mail.gmail.com> <553D3572.6040408@nthpermutation.com> <CADi0yUOnsD0Sasq7dRTbRpUm9jTg-uf+vjkkpMCxxsKXH0kqMw@mail.gmail.com>
In-Reply-To: <CADi0yUOnsD0Sasq7dRTbRpUm9jTg-uf+vjkkpMCxxsKXH0kqMw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------050901030100020508060000"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Rk8FYU51HjiOx_61_U6P0jI1Gx4>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] confirming the room’s consensus: adopt HKDF PRF for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Apr 2015 00:01:52 -0000

On 4/26/2015 4:20 PM, Hugo Krawczyk wrote:
>
>     You can include the length term in info, but it won't be enforced
>     by the HSM and depending on the format of the INFO field could
>     actually be spoofed as this is all user supplied info that isn't
>     known to be related to the actual desired output length.
>
>
>  Adding the length is not a solution to spoofing attacks- it will not 
> differentiate between keys of the same length.
> You cannot compensate via the KDF for unauthorized access to the HSM. 
> If the HSM doesn't enforce an access policy, it is the HSM problem, 
> not something to solve via the KDF or via TLS 1.3 spec.
> ​

Adding the length is not a solution to spoofing attacks and does not 
differentiate between keys of the same length, but it will differentiate 
between keys of _different_ lengths which is where the attack comes 
in.   The problem is not in the math of the KDF, but in the HSMs ability 
to determine how to convert key stream material into concrete keys in a 
manner that doesn't subject them to attack.

If I have a key that's derived from another key, I would like that it 
not be trivial for an attacker who has access to the HSM to extract that 
derived key.  I believe that making the change to add the length makes 
it difficult to do such extraction and apparently(?) so did the 
reviewers of SP800-108(?).

Mike