Re: [TLS] HSM-friendly Key Computation

Eric Rescorla <ekr@rtfm.com> Fri, 17 April 2015 19:41 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76F151A01D6 for <tls@ietfa.amsl.com>; Fri, 17 Apr 2015 12:41:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.377
X-Spam-Level:
X-Spam-Status: No, score=-1.377 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_32=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bhz6Ts-PUWFF for <tls@ietfa.amsl.com>; Fri, 17 Apr 2015 12:41:10 -0700 (PDT)
Received: from mail-wg0-f53.google.com (mail-wg0-f53.google.com [74.125.82.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8364A1B2FE1 for <tls@ietf.org>; Fri, 17 Apr 2015 12:41:07 -0700 (PDT)
Received: by wgyo15 with SMTP id o15so123614099wgy.2 for <tls@ietf.org>; Fri, 17 Apr 2015 12:41:06 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=ceD90QhSwg3Fd91L5BMIRVYyQcMWKd+R64fbnNyTd9c=; b=Zpxt1DD/A0r7KVby41Q2JFM1wrE5Z+z5nIZ3kXdX4UTZZgDPsoDNwdiaZ8ypFdtfRC OZlJA+t+A2e1UEnizAyJg5gh9U+cGfSblvng2pIPPHcnIt3uTq1OeYCTfTJ7N8azoIuO uQTPdScYKHc4YL1I/s71f86SRudSuL2h5En5BZN6XlHHBA2SG0MHQ9rAZV3jktGW/Don rWoWB1oM/gRWbMVDH8d4Yr0fPJAKZU7bo4tQYAfAiq11qthvk/JaPxYG5nmbrTLBYmT8 Qkt5ZFkGdzSjj4m0Via+O3QPsyaFPT5MqMoCXyPWgfHhYrJxj5Y6j1vNiENmdqbcDLlp f/MA==
X-Gm-Message-State: ALoCoQlbNmhz5S1LEcKi19p0svhu2ygnEAk0XrAzR7l0hWHUUlpvsrwWsalSBcKsyFrj64/iUtIS
X-Received: by 10.180.84.67 with SMTP id w3mr4273960wiy.68.1429299666294; Fri, 17 Apr 2015 12:41:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.205.87 with HTTP; Fri, 17 Apr 2015 12:40:25 -0700 (PDT)
In-Reply-To: <0694C3DB-FB87-42A2-BCC4-CC0F761E9A03@vigilsec.com>
References: <0694C3DB-FB87-42A2-BCC4-CC0F761E9A03@vigilsec.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 17 Apr 2015 12:40:25 -0700
Message-ID: <CABcZeBOh08+8bz3Wk+xXYp9myVHpk6R70QMWdRjs1h7Y7ghEeQ@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Content-Type: multipart/alternative; boundary=f46d04440276e329e80513f0c251
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/tDU2dma6iIrsX8ytvwYk1xw2RsY>
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] HSM-friendly Key Computation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Apr 2015 19:41:11 -0000

We should defer this issue until we know whether we are generating an IV
at all.

-Ekr


On Fri, Apr 17, 2015 at 11:59 AM, Russ Housley <housley@vigilsec.com> wrote:

> Section 6.3 of draft-ietf-tls-tls13-05 describes the key calculation from
> the current master secret (MS).  First a key block is computed:
>
>       key_block = PRF(MS,
>                       "key expansion",
>                       SecurityParameters.server_random +
>                       SecurityParameters.client_random);
>
> Then, the key block is divided into keys and IVs:
>
>       client_write_key[SecurityParameters.enc_key_length]
>       server_write_key[SecurityParameters.enc_key_length]
>       client_write_IV[SecurityParameters.fixed_iv_length]
>       server_write_IV[SecurityParameters.fixed_iv_length]
>
> If one wants to implement the cryptographic functions in a Hardware
> Security Module (HSM), this structure is far from ideal.  In general I
> would expect the client_write_key and server_write_key to stay inside the
> protected boundary of the HSM, but the client_write_IV and server_write_IV
> do not need this protection.  Both of these coming from the same key_block
> makes this separation very difficult to implement.
>
> Can we get these values from different invocations of the PRF?  I'd like
> to see one invocation for values that are expected to remain secret and a
> separate invocation for values that do not need to remain secret.
>
> Russ
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>