Re: [TLS] confirming the room’s consensus: adopt HKDF PRF for TLS 1.3

Michael StJohns <msj@nthpermutation.com> Mon, 27 April 2015 00:06 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42CFB1AD1FE for <tls@ietfa.amsl.com>; Sun, 26 Apr 2015 17:06:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DUd7g_xErF2P for <tls@ietfa.amsl.com>; Sun, 26 Apr 2015 17:06:49 -0700 (PDT)
Received: from mail-vn0-f51.google.com (mail-vn0-f51.google.com [209.85.216.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6D571AD1EC for <tls@ietf.org>; Sun, 26 Apr 2015 17:06:48 -0700 (PDT)
Received: by vnbf1 with SMTP id f1so10061755vnb.0 for <tls@ietf.org>; Sun, 26 Apr 2015 17:06:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=2Ictzz4OSofGjPsaOC1dE3BcZ3LM9YrJgXfVHs7Q/og=; b=da8bnXQnKdT3xamf/oXe/Ql2YA/+lrjzTqR49tPVs+wsvkPwlzW/JmjJcyX1hXhXf0 ZXligNx+dgsb8m5Ac6ygHQESGY2WF+WQB2s2Gr/uiUk4zAyRWClRPSmFVvgArmEvsJer laLMMw+dh10jlowdmjyCuRctFAvZLwC5oqE7uCZnGc2v3HfejPn0g7raktkSCGbBktgp C9xtJDJ3yxdvOPr0zpwc1j9a5jyN4i1jY1MrcLbP/YFiqjEF1GPc8bPHtvP0QRdLAZ5N +Y/NBmH1N1u2K/uefuph7mWTk8iUptV2qbWi67xGWTV8102A50lZewyJyzM9PuhfYt8Y rIrA==
X-Gm-Message-State: ALoCoQkzNySuhsJuwqcWoGvaqIWhuYbjl/hjBspryyt9DIqneaBwdO08uYXuyYQxIItwIEe3rPHX
X-Received: by 10.52.109.229 with SMTP id hv5mr21654226vdb.91.1430093208045; Sun, 26 Apr 2015 17:06:48 -0700 (PDT)
Received: from ?IPv6:2601:a:2a00:84:cae:d6cf:19b5:13bc? ([2601:a:2a00:84:cae:d6cf:19b5:13bc]) by mx.google.com with ESMTPSA id de3sm21513640vdc.17.2015.04.26.17.06.47 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 26 Apr 2015 17:06:47 -0700 (PDT)
Message-ID: <553D7D96.8020908@nthpermutation.com>
Date: Sun, 26 Apr 2015 20:06:46 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Hugo Krawczyk <hugo@ee.technion.ac.il>
References: <4A5C6D8F-6A28-4374-AF1F-3B202738FB1D@ieca.com> <551DDD4E.5070509@nthpermutation.com> <F7F3EB83-FEA2-477C-8810-38C49B71C977@ieca.com> <551E290D.7020207@nthpermutation.com> <55381768.8010402@nthpermutation.com> <CACsn0cm5A50dP4JDKq9R0XdB83hyzPPLQHAMnUcXFb+DCSwV7g@mail.gmail.com> <55392B08.6020304@nthpermutation.com> <CADi0yUPTixoesXkgd=HYe_+ua_+=_UfcDBSndCgdh1usTzNpzQ@mail.gmail.com> <553D3572.6040408@nthpermutation.com> <CADi0yUOnsD0Sasq7dRTbRpUm9jTg-uf+vjkkpMCxxsKXH0kqMw@mail.gmail.com>
In-Reply-To: <CADi0yUOnsD0Sasq7dRTbRpUm9jTg-uf+vjkkpMCxxsKXH0kqMw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------000000080307000904070902"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/XEj_F1hVOh7VAvznqr8K3Ywch7c>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] =?utf-8?q?confirming_the_room=E2=80=99s_consensus=3A_adopt_?= =?utf-8?q?HKDF_PRF_for_TLS_1=2E3?=
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Apr 2015 00:06:50 -0000

On 4/26/2015 4:20 PM, Hugo Krawczyk wrote:
>
>     See section 7.5 of
>     ​ ​
>     SP800-108 for a discussion of key separation especially paragraph
>     (2) and why this is important.
>
> ​ I agree with section 7.5 and HKDF, and its use in TLS 1.3, fully 
> complies with it. There is no mandatory use of length as input. It is 
> certainly allowed but not mandated. And when allowing it, it is 
> accommodated via the equivalent of the 'info' ​
> ​ field:
> /"different input data strings (e.g. Label || 0x00 || Context || [L]2) 
> shall be used for different executions".
> /Length is an example and not even listed in the explicit examples at 
> the top of page 19.


You missed:

> The compromise of the keying material output from one of the 
> executions of the KDF must not degrade the security of any of the 
> keying material output from the other executions of the KDF,

Two calls to the KDF that are designed to produce the same key material 
with the same exact characteristics is fine.  But when you can call the 
KDF multiple times with the same input data and assign the output key 
stream to different lengths of keys, you have a problem.

I can do what I said - call and compromise the single byte generation of 
a key with the same input master key and INFO, and repeat it with 
increasing lengths to extract the entire key stream. I think that counts 
as cross compromise.

Later, Mike