Re: [TLS] HSM-friendly Key Computation

[Ilari Liusvaara <ilari.liusvaara@elisanet.fi>]

On Thu, Apr 23, 2015 at 01:34:53PM -0400, Michael StJohns wrote:
> On 4/23/2015 4:42 AM, Ilari Liusvaara wrote:
> >On Wed, Apr 22, 2015 at 05:30:42PM -0400, Michael StJohns wrote:
> >
> >One possible structure in TLS notation:
> >
> >struct prf_output
> >{
> >      /*
> >      0x0000 => For key derivation
> >      0x0001 => For AEAD keying
> >      0x8002 => For AEAD IV
> >      0x8003 => For octet string (exporters, unique)
> >      */
> >      uint16 type;
> >      uint16 length;  /* In bytes. */
> >};
> 
> I ended up with a bit larger set of key types:
> 
> Master Secret (can only be used with KDFs)

Right.

> AES-CMAC

Not used anywhere (insufficient security).

> AES-AEAD

Is there ment to be XXX-AEAD for different encryption algorithms?
Do AES-CCM and AES-GCM share a key type? What about AES-CCM8?

> AES-ENCRYPT

Not used. Encryption always pairs with authentication (AEAD).

> HMAC-SHA1

A NULL cipher key? That one wouldn't be directly used for anything else.

> HMAC-SHA2

NULL cipher keys are per algorithm?

> GENERIC-DATA (different that PKCS11 generic secret - could be IV material
> for example).

This is "octet string" above (except IVs are "AEAD IV").

> as a starting point.

Depending on view, you also need special type for exporter secret, since
it behaves somewhat unlike others.

> It turns out that you want to subdivide AES AEAD uses from non AEAD AES
> functions because you don't want to be able to use AES-CTR to get around the
> AES-CCM and GCM "don't let the data come out unless its been verified"
> policy.

As said, encryption always pairs with authentication.



-Ilari