[TLS] Issue 555: Generate IVs in one HKDF invocation?

Eric Rescorla <ekr@rtfm.com> Wed, 17 August 2016 22:10 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4691B12D7B6 for <tls@ietfa.amsl.com>; Wed, 17 Aug 2016 15:10:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UvhTtNhO_jWr for <tls@ietfa.amsl.com>; Wed, 17 Aug 2016 15:10:32 -0700 (PDT)
Received: from mail-yw0-x22d.google.com (mail-yw0-x22d.google.com [IPv6:2607:f8b0:4002:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C67E612B025 for <tls@ietf.org>; Wed, 17 Aug 2016 15:10:32 -0700 (PDT)
Received: by mail-yw0-x22d.google.com with SMTP id u134so679048ywg.3 for <tls@ietf.org>; Wed, 17 Aug 2016 15:10:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=T4v4V5pIM8si1hJw1T8hmRVqqZgB3816QNZAQa3RTSM=; b=ywhMbF6S7o6hDR8YRKTeU1VEmx8NeAreGYsUsNbmYnVHdJRjOrs+TL4J6g7SHHpBEb 9mvqRaXlTz4RADt+Yy4QzjYXc7Y+pNUhcj7oZX3rrD/p5OS4WJOodUYF05zH9oyW+GJT jswDLqzzdVxW+wIlVPoGUaGlKH7oa+zhJ416Couoeh9H011krNxCxlYs8Ac10pSOBKkd vAHFTnWIVe9EtN4rz0y2LolvV8WEymirHvrVsh1yAEE2q/7mQ36h7ePsZoPHYawi1xrx XDEB5Guj5GVW7OggdCnkqJ5HxVKTKxoygiyJjgcD4v95HSxC/J8zNiJejaP4JcgOOcuo lwkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=T4v4V5pIM8si1hJw1T8hmRVqqZgB3816QNZAQa3RTSM=; b=fMG2ZEnsd/A7gKaLV5hAoNpbq+/nRN2ksCxyupiRe2Xd4N6tKJk2q3rnnD7InKmqB1 c3ECqHkuK+tiPIbbxyP7SE09oJ0ugqwyVjFWdc7PQrxUXSxLX6Zhd7ROlygIalf/xYp7 CaLjtoDSAJyESLJgyULfbFFTMcCvP5T57jR3FQHIJ9iZqRM5uodLQk6Gu1DViY0WNgT7 n3hjw0Tl//raNRgHw6FkYzf3B22NDrqd7U8u2gl8sxhl2imxUsiTCsz24o9zblrkrO04 B9I5Sp/kva+lUS1lSO/7+6izRs1EqVILKhFbgYb4MtBfBMZICvdKFkVkzUvqBlc7erxx e1Dw==
X-Gm-Message-State: AEkoout5/yF5lUt/egVGnNDssiwddT/f6THWa99E1lK2h8Vrx62trlGl0JUvf+Gead9/oOR0lF9wQ0AKI1Kmcw==
X-Received: by 10.13.244.197 with SMTP id d188mr31682843ywf.276.1471471831892; Wed, 17 Aug 2016 15:10:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.48.193 with HTTP; Wed, 17 Aug 2016 15:09:51 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 17 Aug 2016 15:09:51 -0700
Message-ID: <CABcZeBMCoEhsDTTioQVCRP=qYLnijS+8wtGFLw1kyYy+fkfyhQ@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary=94eb2c086548d67863053a4bbb26
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XTDMnWu4TnQf_JWopSXMqxVLIYg>
Subject: [TLS] Issue 555: Generate IVs in one HKDF invocation?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2016 22:10:34 -0000

Issue:
  https://github.com/tlswg/tls13-spec/issues/555

ADL suggested that we could slightly reduce the number of HKDF
computations by generating the IVs as a single block rather than
with individual HKDF-Expands. You can't generally do this kind
of slice-and-dice and preserve the key boundary, but IVs are
public anyway.

At least for NSS, this makes things slightly more complicated
because we generate the directional traffic keys independently,
but it's also not a big deal to change if people want.

Comments in favor or against?