Re: [TLS] TLS1.3 HkdfLabel - value of label<0..6> ?
Ilari Liusvaara <ilariliusvaara@welho.com> Sun, 31 March 2019 13:46 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19CCD120185 for <tls@ietfa.amsl.com>; Sun, 31 Mar 2019 06:46:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7P6h4O3Dpuqv for <tls@ietfa.amsl.com>; Sun, 31 Mar 2019 06:46:07 -0700 (PDT)
Received: from welho-filter4.welho.com (welho-filter4.welho.com [83.102.41.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F2E212017E for <tls@ietf.org>; Sun, 31 Mar 2019 06:46:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id EA68D45BFD; Sun, 31 Mar 2019 16:46:03 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id oILVN8P0_6-z; Sun, 31 Mar 2019 16:46:03 +0300 (EEST)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id B02A42320; Sun, 31 Mar 2019 16:46:00 +0300 (EEST)
Date: Sun, 31 Mar 2019 16:46:00 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: M K Saravanan <mksarav@gmail.com>
Cc: tls@ietf.org
Message-ID: <20190331134600.GA31227@LK-Perkele-VII>
References: <CAG5P2e-M8qAWzUjtz3fbAOOc6xmPNy19NMS2d6yFCHOegF8t8w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAG5P2e-M8qAWzUjtz3fbAOOc6xmPNy19NMS2d6yFCHOegF8t8w@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Ur02FutM60WebMxSWJCu7P9cIzo>
Subject: Re: [TLS] TLS1.3 HkdfLabel - value of label<0..6> ?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2019 13:46:10 -0000
On Sun, Mar 31, 2019 at 08:38:47PM +0800, M K Saravanan wrote: > Hi, > > https://tools.ietf.org/html/rfc8446 > ============ > 7.1. Key Schedule > > The key derivation process makes use of the HKDF-Extract and > HKDF-Expand functions as defined for HKDF [RFC5869], as well as the > functions defined below: > > HKDF-Expand-Label(Secret, Label, Context, Length) = > HKDF-Expand(Secret, HkdfLabel, Length) > > Where HkdfLabel is specified as: > > struct { > uint16 length = Length; > opaque label<7..255> = "tls13 " + Label; > opaque context<0..255> = Context; > } HkdfLabel; > ============ > > In this struct, what is the value of label<0..6>? The syntax "opaque label<7..255>" means that label is octet string of at least 7 and at most 255 octets, and that its length is encoded using 1 octet. The string "tls13 " is 6 octets long, so that impiles that Label is at least 1 octet and at most 249 octets long. So for example if Label is "s hs traffic", then the label (including the length field) is: \x12 "tls13 s hs traffic" The \x12 is the octet with value 18 (which happens to be ASCII DC2) because the remainder is 18 octets. And as another example if Label is "c e traffic", then the label (again including length field is: \x11 "tls13 c e traffic" The \x11 is the octet with value 17 (which happens to be ASCII DC1) because the remainder is 17 octets. In the first case, if the ciphersuite has SHA-256 hash, then the whole HkdfLabel looks like the following (in hex): 00 20 #32 octets of output (2 octets) 12 #18 octets label length (1 octet) "tls13 s hs traffic" #The actual label (18 octets) 20 #32 octet transcript input (1 octet). hash(client_hello+server_hello) #Transcript (32 octets). In total, this is 54 bytes (64 bytes after adding HKDF and SHA-256 internal overhead). There is only one output block, and the input fits into one block so evaluating the HKDF-Expand takes 4 SHA-256 block operations. The one ciphersuite using SHA-384 would instead give (in hex): 00 30 #48 octets of output (2 octets) 12 #18 octets label length (1 octet) "tls13 s hs traffic" #The actual label (18 octets) 30 #48 octet transcript input (1 octet). hash(client_hello+server_hello) #Transcript (48 octets). In total, 70 bytes. Again, only one output block and only one input block, so evaluation takes 4 SHA-384 block operations. -Ilari
- [TLS] TLS1.3 HkdfLabel - value of label<0..6> ? M K Saravanan
- Re: [TLS] TLS1.3 HkdfLabel - value of label<0..6>… Ilari Liusvaara
- Re: [TLS] TLS1.3 HkdfLabel - value of label<0..6>… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] TLS1.3 HkdfLabel - value of label<0..6>… M K Saravanan
- Re: [TLS] TLS1.3 HkdfLabel - value of label<0..6>… Hugo Krawczyk