Re: [TLS] confirming the room’s consensus: adopt HKDF PRF for TLS 1.3

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Sat, 25 April 2015 06:16 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAF1C1B2A3E for <tls@ietfa.amsl.com>; Fri, 24 Apr 2015 23:16:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.001
X-Spam-Level:
X-Spam-Status: No, score=-1.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_12=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mBMwbdMI2x3O for <tls@ietfa.amsl.com>; Fri, 24 Apr 2015 23:16:18 -0700 (PDT)
Received: from emh02.mail.saunalahti.fi (emh02.mail.saunalahti.fi [62.142.5.108]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF23C1B2A3D for <tls@ietf.org>; Fri, 24 Apr 2015 23:16:17 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh02.mail.saunalahti.fi (Postfix) with ESMTP id D9C3681881; Sat, 25 Apr 2015 09:16:15 +0300 (EEST)
Date: Sat, 25 Apr 2015 09:16:15 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Andrey Jivsov <crypto@brainhub.org>
Message-ID: <20150425061615.GA29512@LK-Perkele-VII>
References: <4A5C6D8F-6A28-4374-AF1F-3B202738FB1D@ieca.com> <551DDD4E.5070509@nthpermutation.com> <F7F3EB83-FEA2-477C-8810-38C49B71C977@ieca.com> <551E290D.7020207@nthpermutation.com> <55381768.8010402@nthpermutation.com> <CACsn0cm5A50dP4JDKq9R0XdB83hyzPPLQHAMnUcXFb+DCSwV7g@mail.gmail.com> <55392B08.6020304@nthpermutation.com> <CADi0yUPTixoesXkgd=HYe_+ua_+=_UfcDBSndCgdh1usTzNpzQ@mail.gmail.com> <20150425053458.GA28576@LK-Perkele-VII> <553B2D59.3030407@brainhub.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <553B2D59.3030407@brainhub.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/VwDknIkv9tRTpS_qr_wtD6yFhQA>
Cc: tls@ietf.org
Subject: Re: [TLS] confirming the room’s consensus: adopt HKDF PRF for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Apr 2015 06:16:18 -0000

On Fri, Apr 24, 2015 at 10:59:53PM -0700, Andrey Jivsov wrote:
> On 04/24/2015 10:34 PM, Ilari Liusvaara wrote:
> 
> Ilari beat me on this, but I also made this observation. In more details:
> 
> According to intended use of HKDF, HKDF-Extract is this:
> 
>    HMS = HKDF-Extract( salt=0, IKM=g^xy )
> 
> Which is:
> 
>    A. HMAC( 0, g^xy ) = Hash( opad || Hash( ipad || g^xy ) ).
> 
> The two invocations of the Hash() begin with hashing fixed values, so one
> can re-write the A as
> 
>    A1: Hash1( Hash2( g^xy ) ),
> 
> which can be rewritten as
> 
>    A2: Hash3( g^xy ) = Hash( opad || Hash( ipad || g^xy ) )
> 
> Therefore, HKDF-Extract( 0, g^xy ) should be viewed as deterministic hash of
> g^xy and that's the only contribution of g^xy in HKDF.
> 
> For comparison, TLS 1.2 does the following in the first step:
> 
>    B. Hash(g^xy ^ opad || Hash( (g^xy ^ ipad) || "master secret" +
> ClientHello.random + ServerHello.random) ) );
> 
> It would be amusing to see a case when A2 is secure, while B is not.

Actually, in TLS 1.2, if one uses FFDHE, or if one somehow manages to
use excessively large ECC keys (most likely P-521 with SHA-256),
then the g^xy is replaced by Hash(g^xy).

Also, with extended master secret (needed to fix all sorts of security
problems from lack of CRK):

Hash(g^xy ^ opad || Hash( (g^xy ^ ipad) || "extended master secret" +
handshake_hash) ) );


-Ilari