Re: [TLS] Issue #964: Shortened HKDF labels
Eric Rescorla <ekr@rtfm.com> Mon, 24 April 2017 16:40 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 402E3131846 for <tls@ietfa.amsl.com>; Mon, 24 Apr 2017 09:40:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MU1a4O-PCoVh for <tls@ietfa.amsl.com>; Mon, 24 Apr 2017 09:40:14 -0700 (PDT)
Received: from mail-yw0-x230.google.com (mail-yw0-x230.google.com [IPv6:2607:f8b0:4002:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA653131844 for <tls@ietf.org>; Mon, 24 Apr 2017 09:40:13 -0700 (PDT)
Received: by mail-yw0-x230.google.com with SMTP id k11so37330005ywb.1 for <tls@ietf.org>; Mon, 24 Apr 2017 09:40:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=tD8D01RYdADwwoUjIHqj9CXNfioqc7LnNuolxpmzcYQ=; b=Kq0qSWOYVEtw4GOy1O0v+8ujxpOosQwK3aUcq0JbZ3orJApIqmNDVMqZmR5ZwnjVsU 101JVbg7IOLzNWEPX/ayh50eZ2Dhz54+dP2wQJcY6chCsOHM+mgVln7GxcKIXMEeo/0Q Gj2g3lVnlD+twf+wmXGm8vyBnha3dVkHKSVOH9WmoP3S/yO7FqixxGoNpcUtCd066HvN ohNKoVvKHhQH430AOvaQNjk1xxAgLtRzWhtJWVVaHkZdAFIonpTODr1SQ5DdSZ7GzpcK 01BNp3Tp9ZYt2qOJ0o1rtubQOmXRgE1qypXD4hz5VeL9OFNVKTM7KBE4FPXpEKhB6X8o B0aw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=tD8D01RYdADwwoUjIHqj9CXNfioqc7LnNuolxpmzcYQ=; b=m4GSz9fUvaDZEUwo/FaD13vGk5Neo6UDnE00873bJRcMytTFK7H3gz3FmV2DSoqoXu 7xJJoJiXQwPR6AG7BOBqUwyjIUXKxSpumonR3OYkDpYMxB9wWk0WhSJLUp93WdXFfJX+ KLGPly/LSvCWW45i0qmVoSzlq1ArYRh6tM12lVnXKyJzn5+wO7NjnU7RRztONTuAzS3P qz5fUIbjRMpYz1drwxbnW9MucYgo2K8687d2QT4yGNSMklQ/FJjgrg2LvuQldgzqMUzx w6DRm8W+T4KiziqmU6UTNUT/fCqgCwwaV5qzQItxYhcZqO1q4RwyqSeSm2VwrP2fZvwH WZDw==
X-Gm-Message-State: AN3rC/6FqI7viSHSNFmWrx4mW7lrN76W+NUV4TIUr9C7Ek2rP5DiJtRu 2phs9mADgTwKm4sC+l2eM1zdL7lBuYp2
X-Received: by 10.129.172.93 with SMTP id z29mr5489158ywj.125.1493052012861; Mon, 24 Apr 2017 09:40:12 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.113.7 with HTTP; Mon, 24 Apr 2017 09:39:32 -0700 (PDT)
In-Reply-To: <20170424161619.GA18783@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CABcZeBP_0d+14_3SQ3sk+knytxpo4yxq5eYwGn++GC8H9BpUfw@mail.gmail.com> <20170424152422.GA18543@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBOoFRwwKO7SqjgcVGMU2UneUiaNXGr4GRO=80C3tsxo-w@mail.gmail.com> <20170424161619.GA18783@LK-Perkele-V2.elisa-laajakaista.fi>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 24 Apr 2017 09:39:32 -0700
Message-ID: <CABcZeBMriYeFZO5OJnBZvDbhw57V0F5_SBXwvcq8FAXTASa9Bw@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="f403045f285cdbdd8a054dec421f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/TVqzuY0KA503JbYW5baQUPr87W0>
Subject: Re: [TLS] Issue #964: Shortened HKDF labels
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Apr 2017 16:40:16 -0000
Nice catch. 9 bytes seems a bit cramped. What I suggest here is that we remove the "TLS 1.3, ", as it was just there by analogy to the handshake context and then we are back to having 18 bytes. If people feel like we should have some "TLS" prefix, I think "TLS " would be enough, giving us 1 bytes. -Ekr On Mon, Apr 24, 2017 at 9:16 AM, Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > On Mon, Apr 24, 2017 at 08:28:33AM -0700, Eric Rescorla wrote: > > On Mon, Apr 24, 2017 at 8:24 AM, Ilari Liusvaara < > ilariliusvaara@welho.com> > > wrote: > > > > > On Mon, Apr 24, 2017 at 05:56:58AM -0700, Eric Rescorla wrote: > > > > https://github.com/tlswg/tls13-spec/issues/964 > > > > > > > > Here is a proposed set of new labels, which, while slightly less > clear, > > > all > > > > fit > > > > into the 18 byte limit which Ilari (and I agree) says is what we > have. > > Aargh, turns out that Merke-Damgård strengthening probably affects > things... > > For SHA-256, MD strengthening consists of padding bit and 64-bit > message bit count, for total of 65-512 bits of padding. > > Trying to construct the raw SHA-256 message words for inner hash with > 9 byte label (K is key, L is label, H is hash). > > KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK > 36363636 36363636 36363636 36363636 36363636 36363636 36363636 36363636 > 00201254 4C532031 2E332C20 LLLLLLLL LLLLLLLL LL20HHHH HHHHHHHH HHHHHHHH > HHHHHHHH HHHHHHHH HHHHHHHH HHHHHHHH HHHHHHHH HHHH0180 00000000 000003B8 > > Adding 10th byte to label seems to blow the block (0x3C0=1*512+448): > > KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK > 36363636 36363636 36363636 36363636 36363636 36363636 36363636 36363636 > 00201354 4C532031 2E332C20 LLLLLLLL LLLLLLLL LLLL20HH HHHHHHHH HHHHHHHH > HHHHHHHH HHHHHHHH HHHHHHHH HHHHHHHH HHHHHHHH HHHHHH01 80000000 00000000 > 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 > 00000000 00000000 00000000 00000000 00000000 00000000 00000000 000003C0 > > > For comparision, with SHA-384, the blocks for 9-byte label seem to be: > > KKKKKKKKKKKKKKKK KKKKKKKKKKKKKKKK KKKKKKKKKKKKKKKK KKKKKKKKKKKKKKKK > KKKKKKKKKKKKKKKK KKKKKKKKKKKKKKKK 3636363636363636 3636363636363636 > 3636363636363636 3636363636363636 3636363636363636 3636363636363636 > 3636363636363636 3636363636363636 3636363636363636 3636363636363636 > 003012544C532031 2E332C20LLLLLLLL LLLLLLLLLL30HHHH HHHHHHHHHHHHHHHH > HHHHHHHHHHHHHHHH HHHHHHHHHHHHHHHH HHHHHHHHHHHHHHHH HHHHHHHHHHHHHHHH > HHHHHHHHHHHH0180 0000000000000000 0000000000000000 0000000000000000 > 0000000000000000 0000000000000000 0000000000000000 0000000000000638 > > (Which has 327 hash block padding bits). > > > -Ilari >
- [TLS] Issue #964: Shortened HKDF labels Eric Rescorla
- Re: [TLS] Issue #964: Shortened HKDF labels Eric Rescorla
- Re: [TLS] Issue #964: Shortened HKDF labels Ilari Liusvaara
- Re: [TLS] Issue #964: Shortened HKDF labels Eric Rescorla
- Re: [TLS] Issue #964: Shortened HKDF labels Ilari Liusvaara
- Re: [TLS] Issue #964: Shortened HKDF labels Dave Garrett
- Re: [TLS] Issue #964: Shortened HKDF labels Benjamin Kaduk
- Re: [TLS] Issue #964: Shortened HKDF labels Eric Rescorla
- Re: [TLS] Issue #964: Shortened HKDF labels Salz, Rich
- Re: [TLS] Issue #964: Shortened HKDF labels Benjamin Kaduk
- Re: [TLS] Issue #964: Shortened HKDF labels Eric Rescorla
- Re: [TLS] Issue #964: Shortened HKDF labels Benjamin Kaduk
- Re: [TLS] Issue #964: Shortened HKDF labels Eric Rescorla
- Re: [TLS] Issue #964: Shortened HKDF labels Dave Garrett
- Re: [TLS] Issue #964: Shortened HKDF labels Eric Rescorla
- Re: [TLS] Issue #964: Shortened HKDF labels Ilari Liusvaara
- Re: [TLS] Issue #964: Shortened HKDF labels Martin Thomson