Re: [TLS] PRF digest function for ChaCha20-Poly1305 cipher suites
Adam Langley <agl@imperialviolet.org> Sun, 20 December 2015 20:54 UTC
Return-Path: <alangley@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4684E1A011B for <tls@ietfa.amsl.com>; Sun, 20 Dec 2015 12:54:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.122
X-Spam-Level:
X-Spam-Status: No, score=0.122 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2_xIVZcIvwb7 for <tls@ietfa.amsl.com>; Sun, 20 Dec 2015 12:54:28 -0800 (PST)
Received: from mail-qg0-x241.google.com (mail-qg0-x241.google.com [IPv6:2607:f8b0:400d:c04::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D04191A0115 for <tls@ietf.org>; Sun, 20 Dec 2015 12:54:27 -0800 (PST)
Received: by mail-qg0-x241.google.com with SMTP id 95so6125584qgm.3 for <tls@ietf.org>; Sun, 20 Dec 2015 12:54:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=HDDZNeTCHzYGfi7Z95vbF+1PUz7EgV8UHl0/pi/M+VM=; b=t0OHI4tueJJp3WWAMytvnKuVWKoSn+P29PC2RMi7rJmp+pVkYmVmGRL8xZfbdejfUU uXaBahwBzLhayIqSBUcVpJy6IwTQYo+KQE5F24m24ZQsyz8h6NJO6o/peYf3j3iSYs4m GUi2D+zHpMZsLqP/Iund+4RlGqAIx6xecVBxorUN7mXkLDIxOTSMEkXGfV2Z4ATn1ht3 FS5/bqvIjFCUb1SQBlHdefmXqMJLFm2Xeedr9Mr0nam5jN37JFFouFof1cbv3wUxlAqo PhRqw9gnuY8mvAvZN34T8RVc4FGupOSwPP7qHuZg9An8Mpt/JXwE8bk1BOduhAq4DdNo J8Ig==
MIME-Version: 1.0
X-Received: by 10.140.162.214 with SMTP id i205mr21525239qhi.32.1450644867050; Sun, 20 Dec 2015 12:54:27 -0800 (PST)
Sender: alangley@gmail.com
Received: by 10.140.93.12 with HTTP; Sun, 20 Dec 2015 12:54:26 -0800 (PST)
In-Reply-To: <CAFewVt7G3FVEyapwL=GE=fZ2HFaaJEYQv0rp-GmA_EdkhyQx=w@mail.gmail.com>
References: <CAFewVt6=ztWUs-i5EvGaFE=_r_UgHsr_KsOwFyX+ngx6_J-tnA@mail.gmail.com> <CAFewVt7G3FVEyapwL=GE=fZ2HFaaJEYQv0rp-GmA_EdkhyQx=w@mail.gmail.com>
Date: Sun, 20 Dec 2015 12:54:26 -0800
X-Google-Sender-Auth: D0m91Q2wWBxbLhTANVWwhKdj7YY
Message-ID: <CAMfhd9WV=VPECOJG30cskeFtUkfGN3BM5S-n6ctCXFkW2-38jw@mail.gmail.com>
From: Adam Langley <agl@imperialviolet.org>
To: Brian Smith <brian@briansmith.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/aeh8jN6_FNRaC5ZvG5hj2-HARRI>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] PRF digest function for ChaCha20-Poly1305 cipher suites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Dec 2015 20:54:29 -0000
On Fri, Dec 18, 2015 at 1:43 PM, Brian Smith <brian@briansmith.org> wrote: >> The recent renaming of the ChaCha20-Poly1305 cipher suites brought >> something to my attention that I hadn't thought about before. It seems like >> it might be better to use HKDF-SHA512 instead of HKDF-SHA512, and > > > That is, it seems it would be better to use HKDF-SHA512 instead of > **HKDF-SHA256**. I assume that you mean for TLS 1.3 since you mention HKDF? I updated the draft recently because David Benjamin noted that the names didn't include the PRF (which they should these days) and that OpenSSL, at least, used SHA-256, so might as well make the spec match reality. So, the current code points are probably SHA-256 now. I don't object to adding more if people want SHA-384 too. Although, since the hash function is only used in key derivation with these cipher suites, I'm not sure that a slower, software implementation of SHA-256 would be a big problem. Cheers AGL -- Adam Langley agl@imperialviolet.org https://www.imperialviolet.org
- [TLS] PRF digest function for ChaCha20-Poly1305 c… Brian Smith
- Re: [TLS] PRF digest function for ChaCha20-Poly13… Brian Smith
- Re: [TLS] PRF digest function for ChaCha20-Poly13… Adam Langley
- Re: [TLS] PRF digest function for ChaCha20-Poly13… Brian Smith
- Re: [TLS] PRF digest function for ChaCha20-Poly13… Eric Rescorla
- Re: [TLS] PRF digest function for ChaCha20-Poly13… Brian Smith
- Re: [TLS] PRF digest function for ChaCha20-Poly13… Eric Rescorla
- Re: [TLS] PRF digest function for ChaCha20-Poly13… Brian Smith
- Re: [TLS] PRF digest function for ChaCha20-Poly13… Hubert Kario
- Re: [TLS] PRF digest function for ChaCha20-Poly13… Nikos Mavrogiannopoulos