Re: [TLS] Binding imported PSKs to KDFs rather than hash functions

"Martin Thomson" <mt@lowentropy.net> Wed, 18 September 2019 23:32 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC1291200B3 for <tls@ietfa.amsl.com>; Wed, 18 Sep 2019 16:32:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=IxympqWQ; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=r37x0y/U
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uXQfns5irdVv for <tls@ietfa.amsl.com>; Wed, 18 Sep 2019 16:32:12 -0700 (PDT)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC07712008F for <tls@ietf.org>; Wed, 18 Sep 2019 16:32:12 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 51FB5645 for <tls@ietf.org>; Wed, 18 Sep 2019 19:32:12 -0400 (EDT)
Received: from imap7 ([10.202.2.57]) by compute1.internal (MEProxy); Wed, 18 Sep 2019 19:32:12 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm3; bh=hOBLlz1oL6nk5gElLeBdGvLTI70ewZP RpJ3RFQkbgPo=; b=IxympqWQLlac1nHaBmNZ+nTU2iaXrrqyUCrtW0gJeGa4/JT ZOqRXQ6K3vUwVZD6KfDglZxKUPAUW8FnIJ9C11IBwTDESbUeDQR0TPLN3Ctgw98m MZjSu6bPGlDB4qMp4xHBgMj+50SUCZW/HfdYQ53SJM75mynnkMthDbNkvlAGvHl5 WfzgUHo5FSO+ZKOfisLmdku36MXMdXZg2iqtSDg8DvJSYB6LCwaXfRDnP9NqEQhq Sobe4v9AwBb9arYd/6FwGBNKR8cogmVLtkq9kHsp8TDI9+g6TZh28yDjTseNCg+s sjY6ZFYEsYsK92pwHaxBEfyXzy20g+BwKHPrhFg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=hOBLlz 1oL6nk5gElLeBdGvLTI70ewZPRpJ3RFQkbgPo=; b=r37x0y/UpowehL1hWyGxYN jxDTeoBzu7I/Dpb1wSNB2JyCijS8UaDF4j8ATe9spIlTPmfANGd2IU2zHGLP6GgX AlxOaC/tpbXAiY85QdoBxbfq9GxViodYoKfsb7+dWOzavkCsrSI9vvQaM3msAmht Qqktw9bMKMENk2no0ekIpdI34kRm5nRp9Bg+iRdq4gz7jwzmGHab3X4JfQY6y/of rKnvitH+SgghBPezOrQggt3EmU3N9kajoN5KS12rPxsmo6lCAhmN4Frjh7xBSaUi WBEKVFt07fmoBfn2K5oo4vqrdZN5Z9BknY/OjGrTla+VRAt+Nfgc6wdiCjIDw5WQ ==
X-ME-Sender: <xms:e76CXTrspWoW8c4hWPNn8wD-tJfOk31FL2M4N0sUos9UtErCJMFIHQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrudelgddulecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreertdenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehlohif vghnthhrohhphidrnhgvtheqnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofi gvnhhtrhhophihrdhnvghtnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:e76CXaGmT_WsqIJq3hMa_sU2wMVdfn_UzIdlrzzYn2ehYi3fSKAEkA> <xmx:e76CXcOsTZzlaXQE6dMTfz0xiL1j6Ekay1aOoUed50EHFR-hOmZ9Ng> <xmx:e76CXYVslqbBXbvbOUwcJvmkVdOm7szShv6aIirbAi8le9yal8TcJA> <xmx:e76CXQCFRXgnbjN2PrqgqAIj1ns35iiOhM5Nc_cXDzzCzG2VY1W_Yg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id B66731C0001; Wed, 18 Sep 2019 19:32:11 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-238-g170a812-fmstable-20190913v1
Mime-Version: 1.0
Message-Id: <c3aac25a-bd7e-4ab6-9f5a-cb0a4548fdcb@www.fastmail.com>
In-Reply-To: <93833d8a-76c5-4c0c-b5c7-ac39bcc1cb71@www.fastmail.com>
References: <e484c148-d64b-4538-9145-85e0363b0cc9@www.fastmail.com> <1f5dda7a-576c-4309-b465-7fa93c2d7662@www.fastmail.com> <f0aa22d1-0461-47d6-b0c3-c26c664c0d50@www.fastmail.com> <96018dee-e0a5-45c4-877b-447aa277494a@www.fastmail.com> <93833d8a-76c5-4c0c-b5c7-ac39bcc1cb71@www.fastmail.com>
Date: Thu, 19 Sep 2019 09:31:51 +1000
From: "Martin Thomson" <mt@lowentropy.net>
To: tls@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XoYI2_LWfxv2of5DhddaZKc2BG8>
Subject: Re: [TLS] Binding imported PSKs to KDFs rather than hash functions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Sep 2019 23:32:14 -0000

On Thu, Sep 19, 2019, at 01:41, Christopher Wood wrote:
> Ah, so, I think this is where the miscommunication is happening! The 
> target KDFs I've been envisioning are not protocol specific. 

As HKDF and the TLS 1.2 PRF are not the same function, wouldn't it be better to have separate identifiers?  Sure, we could rely on the `protocol` field to diversify the output, but I think that we should be applying the same principle throughout, namely that the one key is only used with the one KDF instantiation.