Re: [TLS] Key Hierarchy

Brian Smith <brian@briansmith.org> Mon, 21 September 2015 01:56 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 610461B2F6C for <tls@ietfa.amsl.com>; Sun, 20 Sep 2015 18:56:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xh9ARZfhfmnD for <tls@ietfa.amsl.com>; Sun, 20 Sep 2015 18:56:45 -0700 (PDT)
Received: from mail-ig0-f170.google.com (mail-ig0-f170.google.com [209.85.213.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87CB81B2F6B for <tls@ietf.org>; Sun, 20 Sep 2015 18:56:45 -0700 (PDT)
Received: by igcrk20 with SMTP id rk20so51270072igc.1 for <tls@ietf.org>; Sun, 20 Sep 2015 18:56:45 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=WPmCq0GYNXsv/TlhXvELBjFUxkjF3aVsB6meNmqmM1s=; b=UXeDRPZi6aRLLzPHoVKUHu9lLo+wUC4lmog2fCKiT+22xXe+3WFNmDDjAD+tY15vAW VyCaSToawMN8QtPlbAZ6fp7pS0ypWgt/bJk6yU6EdaHx9kPGSq3MEM+hhutpKhnVmsLl ZJ20XETeJxyPPM8rhJD5d6qbGOn1KNgk5vg8g97apr0+cYxdEhZA6pkew9wLY3oeHBKX IjoWBGgBtRbNcsGf5Wy2lAEQu4D3wpPn4/w68CbFqk53B2Nrxe1j8L75DcGusyN92jRe TGCL99vGoJc5OA5bXEDd/dIyguG+dQTRhuCWc96t2k5/jFsV2KddKeY00iNHZbXiRrJY cJwQ==
X-Gm-Message-State: ALoCoQkFnmVJAJr+VV7855Xy9sHlcKs890PZDW1EEVAk1xnaWqfbyoX9au0forw9mNE5j6tigsIs
MIME-Version: 1.0
X-Received: by 10.50.143.1 with SMTP id sa1mr8973491igb.32.1442800604832; Sun, 20 Sep 2015 18:56:44 -0700 (PDT)
Received: by 10.79.107.204 with HTTP; Sun, 20 Sep 2015 18:56:44 -0700 (PDT)
In-Reply-To: <CABcZeBPQ6VhFPzXLKcoSYHCE9E6j19W3yR0B5MjzS4bV99wATA@mail.gmail.com>
References: <CABcZeBPQ6VhFPzXLKcoSYHCE9E6j19W3yR0B5MjzS4bV99wATA@mail.gmail.com>
Date: Sun, 20 Sep 2015 18:56:44 -0700
Message-ID: <CAFewVt7G0_-DG7QHA3hBXRbhf5=+mX5tEsYTn_0-M7m9bz5TmA@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary=001a1134bdaa88847105203831a0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Uc79z-fr-ViZePif_FjYRYj2JPc>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Key Hierarchy
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Sep 2015 01:56:47 -0000

On Sun, Sep 20, 2015 at 4:58 PM, Eric Rescorla <ekr@rtfm.com> wrote:

> https://github.com/tlswg/tls13-spec/pull/248
>
> Aside from some analytic advantages
>

What are the analytic advantages?

Also, a question that applied even to the older design: I remember the an
HKDF paper and the HKDF paper stating that before it is safe to use a value
as an HKDF salt, it must be authenticated. But, in both the old and new
designs it seems like an authenticated value is being used as the salt in
the HKDF-Extract(mSS, mES) operation. What does this mean for the security
analysis?

One of the notes in the new design draws some attention to the strange fact
that we compress the output of the ECDHE operation to the length of a
digest function that is independent of the length of the ECDH keys used.
For example, if we used P-256 in the ECDHE operation for a AES-128-GCM
cipher suite, we'd compress the output to 256 bits using HKDF-Extract with
SHA-256. But, if we used P-521 in the ECDHE operation for the same cipher
suite,  we'd still compress the output to 256 bits using HKDF-Extract with
SHA-256. That seems wrong. I would guess it makes more sense to choose the
HKDF digest algorithm based on the size of the ECDHE key. Note that in the
NSA Suite B Profile for TLS, they fixed this by requiring a more rigid
relationship between the ECDHE key size and the cipher suite than what TLS
requires. See [1]. I think it's worth considering whether the current
(older and newer) design makes is better or worse than a design like the
NSA Suite B Profile in this respect.

[1] https://tools.ietf.org/html/rfc6460#section-3.1.

Cheers,
Brian
-- 
https://briansmith.org/