IETF Logo Mail Archive

Re: [TLS] Issue #964: Shortened HKDF labels

Ilari Liusvaara <ilariliusvaara@welho.com> Mon, 24 April 2017 16:16 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66D2B1317C7 for <tls@ietfa.amsl.com>; Mon, 24 Apr 2017 09:16:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GOQNgaxf5G1q for <tls@ietfa.amsl.com>; Mon, 24 Apr 2017 09:16:23 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) by ietfa.amsl.com (Postfix) with ESMTP id D27CE131752 for <tls@ietf.org>; Mon, 24 Apr 2017 09:16:22 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id 5DB7125262; Mon, 24 Apr 2017 19:16:21 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id LlGaEMBIcdwc; Mon, 24 Apr 2017 19:16:21 +0300 (EEST)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id EF09A2317; Mon, 24 Apr 2017 19:16:20 +0300 (EEST)
Date: Mon, 24 Apr 2017 19:16:19 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Message-ID: <20170424161619.GA18783@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CABcZeBP_0d+14_3SQ3sk+knytxpo4yxq5eYwGn++GC8H9BpUfw@mail.gmail.com> <20170424152422.GA18543@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBOoFRwwKO7SqjgcVGMU2UneUiaNXGr4GRO=80C3tsxo-w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CABcZeBOoFRwwKO7SqjgcVGMU2UneUiaNXGr4GRO=80C3tsxo-w@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/n_TFape7L4HHoKLxGo8CkimZziI>
Subject: Re: [TLS] Issue #964: Shortened HKDF labels
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Apr 2017 16:16:25 -0000

On Mon, Apr 24, 2017 at 08:28:33AM -0700, Eric Rescorla wrote:
> On Mon, Apr 24, 2017 at 8:24 AM, Ilari Liusvaara <ilariliusvaara@welho.com>
> wrote:
> 
> > On Mon, Apr 24, 2017 at 05:56:58AM -0700, Eric Rescorla wrote:
> > > https://github.com/tlswg/tls13-spec/issues/964
> > >
> > > Here is a proposed set of new labels, which, while slightly less clear,
> > all
> > > fit
> > > into the 18 byte limit which Ilari (and I agree) says is what we have.

Aargh, turns out that Merke-Damgård strengthening probably affects
things...

For SHA-256, MD strengthening consists of padding bit and 64-bit
message bit count, for total of 65-512 bits of padding.

Trying to construct the raw SHA-256 message words for inner hash with
9 byte label (K is key, L is label, H is hash).

KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK 
36363636 36363636 36363636 36363636 36363636 36363636 36363636 36363636 
00201254 4C532031 2E332C20 LLLLLLLL LLLLLLLL LL20HHHH HHHHHHHH HHHHHHHH
HHHHHHHH HHHHHHHH HHHHHHHH HHHHHHHH HHHHHHHH HHHH0180 00000000 000003B8

Adding 10th byte to label seems to blow the block (0x3C0=1*512+448):

KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK 
36363636 36363636 36363636 36363636 36363636 36363636 36363636 36363636 
00201354 4C532031 2E332C20 LLLLLLLL LLLLLLLL LLLL20HH HHHHHHHH HHHHHHHH
HHHHHHHH HHHHHHHH HHHHHHHH HHHHHHHH HHHHHHHH HHHHHH01 80000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
00000000 00000000 00000000 00000000 00000000 00000000 00000000 000003C0 


For comparision, with SHA-384, the blocks for 9-byte label seem to be:

KKKKKKKKKKKKKKKK KKKKKKKKKKKKKKKK KKKKKKKKKKKKKKKK KKKKKKKKKKKKKKKK
KKKKKKKKKKKKKKKK KKKKKKKKKKKKKKKK 3636363636363636 3636363636363636
3636363636363636 3636363636363636 3636363636363636 3636363636363636
3636363636363636 3636363636363636 3636363636363636 3636363636363636
003012544C532031 2E332C20LLLLLLLL LLLLLLLLLL30HHHH HHHHHHHHHHHHHHHH
HHHHHHHHHHHHHHHH HHHHHHHHHHHHHHHH HHHHHHHHHHHHHHHH HHHHHHHHHHHHHHHH 
HHHHHHHHHHHH0180 0000000000000000 0000000000000000 0000000000000000
0000000000000000 0000000000000000 0000000000000000 0000000000000638

(Which has 327 hash block padding bits).


-Ilari

v2.23.0 | Report a Bug | By Email