IETF Logo Mail Archive

Re: [TLS] NIST crypto group and HKDF (and therefore TLS 1.3)

Sam Whited <sam@samwhited.com> Fri, 08 May 2020 21:31 UTC

Return-Path: <sam@samwhited.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B83C03A0F3E for <tls@ietfa.amsl.com>; Fri, 8 May 2020 14:31:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=samwhited.com header.b=Ri4uaB+H; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=wgVwUK4X
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PLpewFPxBTjg for <tls@ietfa.amsl.com>; Fri, 8 May 2020 14:31:22 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80EA43A0F3B for <tls@ietf.org>; Fri, 8 May 2020 14:31:22 -0700 (PDT)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id A8C665C00A0 for <tls@ietf.org>; Fri, 8 May 2020 17:31:21 -0400 (EDT)
Received: from imap34 ([10.202.2.84]) by compute7.internal (MEProxy); Fri, 08 May 2020 17:31:21 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samwhited.com; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm2; bh=6CQTU ADMyn6w7SOQs3qhIIlx30aZYGS5Z5J9CmYgjKo=; b=Ri4uaB+HjI3J2RATh28tO FYqYLLW72ILZcFDKv5p0IzGPqc6hRC912GBMaAPaeIT9f+7NPWMX2kVb91Uugs7o r4xVdiIipmBdc2unbfdqUJHRm5l0aKcocRU/h9/jo/6+Rh36CEl0DztxLYgD8r2y cy1h+b337vnqRjM26zz3fpUCG8CWdqnuHksAQtLisMKu2EbqQbDlvojQAFQmP5uE 10N7oUZDIQDWZBlgXsxV7m7GDW9lgjZ1zXatDnBqWP3PiFpxQwvcUHaoP2wS3300 DIzfQtdakTFdjn0pDmQFQ5XK/jreZr7HG8DwItiFFJ86swkFF98l7NyP5vxeRAyz Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=6CQTUADMyn6w7SOQs3qhIIlx30aZYGS5Z5J9CmYgj Ko=; b=wgVwUK4XiGksj5WC/3I5/IIuki1A0hmM8FNQDhw/Uixajcy0GnJ8ypGw7 EsR5d/a3k5UFvmgHaYlKdb0mo+6hGcdHYHhHzHXDKKXHvWyRD+TRvKnzD73Trrms DTNNbT2YN/W0ijLA+v4nwnzETw2QwMAyFK7yvsMHEOx4BZe9+YmdAPptn0RAXvNf LvND7Skgy7GLxr/DSV5L5wPe3SfHE/qXqFP3bRNJsdtsyNTh3Ox5KZVu5KXKUcWN m3kHcCIu+36KR+/Rc1d3Mq+X0GH8e5zDdEk9plE5RU7C2Y8REFIPaf3ZQA2/5TWk dC10kQQfWsyNOAibrphoQc+GRDoMQ==
X-ME-Sender: <xms:qc-1XrFXszIIw7nkWSKsfkIxquS1Ep4fa8EdY2kQNxUmg7DupeVDUg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrkeefgdelhecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgfgsehtqh ertderreejnecuhfhrohhmpedfufgrmhcuhghhihhtvggufdcuoehsrghmsehsrghmfihh ihhtvggurdgtohhmqeenucggtffrrghtthgvrhhnpedvffeuvdduhfefvdeiheeukeffhf ekjeevgffggedtlefhhffhieevkeduvefhjeenucevlhhushhtvghrufhiiigvpedtnecu rfgrrhgrmhepmhgrihhlfhhrohhmpehsrghmsehsrghmfihhihhtvggurdgtohhm
X-ME-Proxy: <xmx:qc-1Xm3kuys48OcBcADuYX2LilYhd2aLIMp6Ptnqy6S4zG0mEVo57w> <xmx:qc-1Xopv1Cb9WXF12xOqvn2CniPeuP-kBJ1h_0QTm5Cox41P6Wru9A> <xmx:qc-1XjMNXcbiiLpMD5sz3YBTPg2QLq4a8uz2F-SwhjuXPNeamN1izQ> <xmx:qc-1Xn42JI-cJ4OgL4UM1Mrp-ZpAeUqI6kz3v_BeJ0vSfTt-T8D5pQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 2D2571460061; Fri, 8 May 2020 17:31:21 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-dev0-413-g750b809-fmstable-20200507v1
Mime-Version: 1.0
Message-Id: <764a9a78-615c-4a91-817f-d25a2f1643cb@www.fastmail.com>
In-Reply-To: <83724575-D77E-4E1C-89E9-7550D816C451@akamai.com>
References: <07D37E65-0951-49BB-B86E-BD3167ADB352@akamai.com> <9bae52f88d99421cbae6ab362e52c0a3@blackberry.com> <83724575-D77E-4E1C-89E9-7550D816C451@akamai.com>
Date: Fri, 08 May 2020 17:29:26 -0400
From: Sam Whited <sam@samwhited.com>
To: tls@ietf.org
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hMcskXkWU6rJ2FuwX2lpKlti0u4>
Subject: Re: [TLS] NIST crypto group and HKDF (and therefore TLS 1.3)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 May 2020 21:31:27 -0000

On Fri, May 8, 2020, at 17:08, Salz, Rich wrote:
> It cites it, but doesn't include it in the 800-56 doc.

Maybe I'm confused too, but it sounds like it's included to me. The
definition of the KDF includes:

> The  first  (randomness-extraction)  step  uses  either  HMAC  … If
> HMAC-hash is used in the randomness- extraction step, then the same
> HMAC-hash (i.e., using the same hash function, hash) shall be used as
> the PRF in the key-expansion step

This sounds like this would allow for HKDF as defined in RFC 5869 (which
as far as I can tell is the same thing except with HMAC required in both
steps instead of giving you the option of using AES-CMAC), unless I've
misunderstood something (not being anywhere near an expert on this
topic, this is quite possible — even likely).

Afterwards, it cites 5869 in such a way that sounds like it's saying
that it's a subset of the approved algorithm (although "a version" is
vague and confusing):

> [RFC 5869] specifies a version of the above extraction-then-expansion
> key-derivation procedure using HMAC for both the extraction and
> expansion steps. For an extensive discussion concerning the rationale
> for the extract-and-expand mechanisms specified in this
> Recommendation, see [LNCS 6223].

The last citation in that paragraph to LNCS 6223 appears to give a long
justification for why HKDF is secure, which all together makes it sound
like HKDF is an approved algorithm and thus TLS 1.3 will be okay.

—Sam

-- 
Sam Whited

v2.23.0 | Report a Bug | By Email