Re: [TLS] confirming the room’s consensus: adopt HKDF PRF for TLS 1.3
Hugo Krawczyk <hugo@ee.technion.ac.il> Fri, 24 April 2015 21:32 UTC
Return-Path: <hugokraw@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BBF71AC3FF for <tls@ietfa.amsl.com>; Fri, 24 Apr 2015 14:32:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.645
X-Spam-Level: **
X-Spam-Status: No, score=2.645 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_12=0.6, J_CHICKENPOX_36=0.6, MALFORMED_FREEMAIL=0.001, MIME_8BIT_HEADER=0.3, MISSING_HEADERS=1.021, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mfdVjEUj8F6L for <tls@ietfa.amsl.com>; Fri, 24 Apr 2015 14:32:23 -0700 (PDT)
Received: from mail-lb0-x234.google.com (mail-lb0-x234.google.com [IPv6:2a00:1450:4010:c04::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38ECA1ACD09 for <tls@ietf.org>; Fri, 24 Apr 2015 14:32:23 -0700 (PDT)
Received: by lbbqq2 with SMTP id qq2so45751054lbb.3 for <tls@ietf.org>; Fri, 24 Apr 2015 14:32:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:cc:content-type; bh=nTD256U5xvA2EJjKSEFrNKLmLHlWRNQjncOMet6th5I=; b=xZ6gyL6KUsk/XwioNfWRintoiiv1/xmDnmS2OtBElkCKv8Mzg30OACbfP2sZicaTwV cUsB1toyQGbQ0JOHKJKiEpfxmw2MvvpxVn5/Q3jxCvja3p+MQKTY6og/0WYO4VpQ9eDn 5hEbh7+kk3Z1VGI3ABNKu8cID9OD7E7C6NmT+5VEqMhuZCqC3OWQo5R6fjUbPDkfU+g8 vQXs2eAg3wYFwdxpxB7PvezxCItBj95JPoQV6WFcPBJw3TSmrqcl0AUaPzh0zPKx4ITh i1vkX4m+KbauSMCDe+q/i3+2tmvL9ntrKZ25tTKFauyWxLHuUeeA0ems3lqeW0eOGQtw i+1Q==
X-Received: by 10.112.185.100 with SMTP id fb4mr308788lbc.79.1429911141711; Fri, 24 Apr 2015 14:32:21 -0700 (PDT)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.25.78.66 with HTTP; Fri, 24 Apr 2015 14:31:51 -0700 (PDT)
In-Reply-To: <55392B08.6020304@nthpermutation.com>
References: <4A5C6D8F-6A28-4374-AF1F-3B202738FB1D@ieca.com> <551DDD4E.5070509@nthpermutation.com> <F7F3EB83-FEA2-477C-8810-38C49B71C977@ieca.com> <551E290D.7020207@nthpermutation.com> <55381768.8010402@nthpermutation.com> <CACsn0cm5A50dP4JDKq9R0XdB83hyzPPLQHAMnUcXFb+DCSwV7g@mail.gmail.com> <55392B08.6020304@nthpermutation.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Fri, 24 Apr 2015 17:31:51 -0400
X-Google-Sender-Auth: yAasUgciFkwuj438yPWYvb_h_Rk
Message-ID: <CADi0yUPTixoesXkgd=HYe_+ua_+=_UfcDBSndCgdh1usTzNpzQ@mail.gmail.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c3ca22a9861905147f21e2"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/aR-qrxS_CE3WQyyb5sZBmWMf-QI>
Subject: Re: [TLS] confirming the room’s consensus: adopt HKDF PRF for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2015 21:32:26 -0000
Here are a few clarifications regarding HKDF and its use in TLS 1.3 in response to recent emails (including those under the "HSM-friendly Key Computation" thread). I will not touch on anything specific to HSM or PKCS11 since I know little about these and the recent exchange on these issues has not helped me understanding these things any better (but rather confuse me more). Let me start with the issue of whether we should be using the HKDF-Extract and HKDF-Expand separately or only use HKDF as a single function (which internally operates HKDF-Extract and HKDF-Expand). There is an obvious advantage for the latter approach (single function) as it deals with HKDF as a black box. But there are also advantages to calling these two components separately, and TLS 1.3 provides some good examples for that. First, HKDF is built to output as many keys as needed from a single HKDF operation, but in TLS we are deriving multiple keys from the same keying material through separate applications of the expand part. In such a case it is more natural to apply extract once and apply expand several times (with different info fields!). For example, Master Secret is derived using a single Extract operation but it is then used in three different Expand operations for deriving other keys (application traffic keys, export master secret, and resumption master secret). Second, when one starts with a strong key then the Extract step can be skipped making it convenient to be able to call Expand directly. Third, it is convenient to call Expand directly as a PRF for computing the Finished message. Lastly, and not least, it makes the key derivation logic more explicit which helps conveying the rationale of each operation and helps those analyzing the protocol (now and in the future). My recommendation is to keep the Extract and Expand separation for the moment, in particular due to the last point, so we can see more clearly the logic while still setting the missing details of the protocol. When the whole picture is clear we can revisit this point. On other issues: - This should be obvious but worth repeating: All calls to HKDF-Expand MUST use a non-empty info field binding the derived key(s) to a unique context (in the case of TLS this is usually a label and a cumulative session-hash). - It was suggested that the length of derived keys should be part of the input to key expansion. If desired, this length can be entered through the info field of HKDF but I would be very careful not to derive two different keys where the only difference in the 'info' values is the key length. If the two keys happen to be of the same length one would end up with two keys that are identical. - One of the emails raises the issue of using random salt, as recommended by RFC 5869. Note that the RFC recommendation also indicates that the salt value should be something that is authenticated during the protocol, or otherwise it can be selected by the adversary. This authentication needs to happen independently of the key being derived using this salt. For example, one should be careful not to incur in a circular logic, e.g. deriving a key mackey=HKDF(salt, info) and then using mackey to authenticate the salt by computing MAC(mackey, salt). This is why the proposed TLS 1.3 key derivation scheme does not use nonces as salt. - Someone said: "In an ideal world we would all use the same KDFs rather than inventing a new one for each protocol." This was exactly the goal of HKDF, namely, provide a single KDF that can serve different protocols, requirements and settings. The interested reader can consult my Crypto 2010 paper https://eprint.iacr.org/2010/264 for a very detailed treatment of key derivation in general and HKDF in particular,and why this one design fits many different uses. TLS 1.3 is a perfect demonstration of the versatility of HKDF as it is used as a random oracle, randomness extractor and PRF, depending on the key material being derived. See the next item for an example. - Another issue raised in recent email exchange is the way to merge the semi-static value g^xs (where s is the semi-static server's private key and x the ephemeral client's private key) with the ephemeral value g^xy. This is done by first extracting a key from g^xs as PRK1=HKDF-extract(0,g^xs) and then extracting PRK2=HKDF-extract(PRK1,g^xy). Here is the logic: PRK1 is extracted from g^xs using HKDF(0,...) as a random oracle as needed in the proof of security. Then PRK2 is derived with salt=PRK2 for the following reason. If g^xs is not exposed (the typical case) then this HKDF use only requires treating HKDF(PRK1,...) as a PRF (essentially the less demanding property from HKDF). If g^xs is revealed by compromise of the server's semi static private key s (after the conclusion of the handshake, as in the forward-secrecy setting), then PRK1 is actually an authenticated random and non-secret salt so you use HKDF as a randomness extractor. In other words, each use of HKDF uses the minimal cryptographic assumption one can have depending on the context of derivation. - Finally, there has been a long discussion related to the derivation of both secret and non-secret material (the latter for IVs). I can't say how this works with HSMs, PKCS11 or other standards, but from the cryptographic point of view doing this "mixed" derivation of secret and non-secret values is not a problem as long as HMAC is not broken as a PRF. Hugo
- [TLS] confirming the room’s consensus: adopt HKDF… Sean Turner
- Re: [TLS] confirming the room’s consensus: adopt … Daniel Kahn Gillmor
- Re: [TLS] confirming the room’s consensus: adopt … Nikos Mavrogiannopoulos
- Re: [TLS] confirming the rooms consensus: adopt … Dan Harkins
- Re: [TLS] confirming the room’s consensus: adopt … Russ Housley
- Re: [TLS] confirming the room’s consensus: adopt … Brian Smith
- Re: [TLS] confirming the room’s consensus: adopt … Ilari Liusvaara
- Re: [TLS] confirming the room’s consensus: adopt … Sean Turner
- Re: [TLS] confirming the room’s consensus: adopt … Sean Turner
- Re: [TLS] confirming the room’s consensus: adopt … Yoav Nir
- [TLS] confirming the room’s consensus: adopt HKDF… Peter Gutmann
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Sean Turner
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Nikos Mavrogiannopoulos
- Re: [TLS] confirming the room’s consensus: adopt … Ilari Liusvaara
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Watson Ladd
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Hugo Krawczyk
- Re: [TLS] confirming the room’s consensus: adopt … Ilari Liusvaara
- Re: [TLS] confirming the room’s consensus: adopt … Andrey Jivsov
- Re: [TLS] confirming the room’s consensus: adopt … Ilari Liusvaara
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Hugo Krawczyk
- Re: [TLS] confirming the room’s consensus: adopt … Hugo Krawczyk
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Watson Ladd
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Peter Gutmann
- Re: [TLS] confirming the room’s consensus: adopt … Salz, Rich
- Re: [TLS] confirming the room’s consensus: adopt … Michael StJohns
- Re: [TLS] confirming the room’s consensus: adopt … Hugo Krawczyk
- Re: [TLS] confirming the room’s consensus: adopt … Ilari Liusvaara
- Re: [TLS] confirming the room’s consensus: adopt … Sean Turner
- Re: [TLS] confirming the room’s consensus: adopt … Eric Rescorla