Re: [TLS] PRF in 1.3

Andrey Jivsov <> Thu, 07 August 2014 05:37 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 995121A0AD1 for <>; Wed, 6 Aug 2014 22:37:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id u7J9z7xjR6aP for <>; Wed, 6 Aug 2014 22:37:29 -0700 (PDT)
Received: from ( [IPv6:2001:558:fe2d:43:76:96:30:56]) by (Postfix) with ESMTP id 16FD21A0ACE for <>; Wed, 6 Aug 2014 22:37:29 -0700 (PDT)
Received: from ([]) by with comcast id bhNB1o0020b6N64A6hdUo1; Thu, 07 Aug 2014 05:37:28 +0000
Received: from [] ([]) by with comcast id bhdT1o00P4uhcbK8PhdUX0; Thu, 07 Aug 2014 05:37:28 +0000
Message-ID: <>
Date: Wed, 06 Aug 2014 22:37:27 -0700
From: Andrey Jivsov <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.7.0
MIME-Version: 1.0
X-Priority: 5 (Lowest)
References: <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=q20140121; t=1407389848; bh=aDd7K30T0/ytDbt4hld4sDojA+UVFiqjp1SpekB2JNg=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=EJDyXvjIerkmZ9/XcDJSXAjh0LgxKd7cD8/c7XqzQ5sRhOYfhQhhdmeU83XTwsi7Z Qn4z5zq/SMiSnPewtVakHDCCiRN5MMlo3NrO4Lqlbv+KeqGUiDC6VZPhq7Uk3ZfUNv O/mLtizvvg6cSSc7SUoo6t1IdeAHuAnYkub+VeQWZTU6GMmXfeRrPqqjC7nQbM3tiA /de5iFEq3QcG4MXbT9T7jV3mdkfKP82RW09RX2RBIZVs7UmL3If9jlzU5sBK7nNXnt bQpc77OWI5XeitA44QOhZwe3cxtTtyqFVn3xm6Bc6EazOahzZyTzdgIaX0+gieTZRx LHtvqRy5LfEWw==
Subject: Re: [TLS] PRF in 1.3
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 07 Aug 2014 05:37:30 -0000

On 08/06/2014 01:10 PM, Michael StJohns wrote:
> I think you're still missing the point - the PRF *is* used as a
> signature function over a hash.  If the PRF were used as an HMAC
> signature function over the raw handshake data, it would be as secure as
> the HMAC (which is 256 bits for SHA256) unneedsderlying the PRF, but since
> you're signing the hash of the handshake data, you've no more security
> than the collision resistance of the hash which is 128 bites for SHA256.

For the hash function collision over a handshake to be a problem there 
should to be a setting in which a collision of the hash output value 
over *any* two handshakes poses a problem.

Statements about *this* particular handshake still fall under MAC usage. 
This case seems to apply here because each peer is hashing "his" packets 
and that is the hash value that needs to match.