Re: [TLS] confirming the room’s consensus: adopt HKDF PRF for TLS 1.3

Michael StJohns <msj@nthpermutation.com> Sun, 26 April 2015 23:55 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46FBF1ACE11 for <tls@ietfa.amsl.com>; Sun, 26 Apr 2015 16:55:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UOWOPdMGrOPV for <tls@ietfa.amsl.com>; Sun, 26 Apr 2015 16:55:47 -0700 (PDT)
Received: from mail-vn0-f48.google.com (mail-vn0-f48.google.com [209.85.216.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1B461ACE0D for <tls@ietf.org>; Sun, 26 Apr 2015 16:55:46 -0700 (PDT)
Received: by vnbf129 with SMTP id f129so10002327vnb.9 for <tls@ietf.org>; Sun, 26 Apr 2015 16:55:46 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=hTWfgrt7bY1/Aeny2mvEkrZxmf05gtK/QpcmkJChZVw=; b=Nejcpo/93e4HVJ+pEC86cFTi+oFz9PGmkqSA+HWU+/vcGmX3rRfwbBcIpQjNoqaE/b tvXzGjZjwMYgg1H9wYbfyu3V5cexoCv1x/FyJyMKKwGKE0qECxG9tURzVojx0V9OoaO3 0fWjwuZgJ0JR/7P+l+KW75p1iYPe4cDJqckUmM5XMG6Exj7M5+AdTXQFnB84Qu8aIFPd d5OfskM24X3RDpiKSP3DUNWEi7v/3N8jLKKtoaEWxLvsCp+XTveShUqGInpTTg1cSIOw Qe/SU7VBqFR/yyEevuS7pxcC+WCHhX8SSz9wUg+kzKkp5h1eTFDRqKb5bSKbqCX5CchY kFoQ==
X-Gm-Message-State: ALoCoQkKNBqkO3meJDCyDPSCSHVKnH7z22GPx18mN+0BDh5qxJ438NxLhFP9bfLh71+MrX7dkOj7
X-Received: by 10.52.33.132 with SMTP id r4mr21738950vdi.0.1430092546157; Sun, 26 Apr 2015 16:55:46 -0700 (PDT)
Received: from ?IPv6:2601:a:2a00:84:cae:d6cf:19b5:13bc? ([2601:a:2a00:84:cae:d6cf:19b5:13bc]) by mx.google.com with ESMTPSA id cc10sm21451673vdc.3.2015.04.26.16.55.45 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 26 Apr 2015 16:55:45 -0700 (PDT)
Message-ID: <553D7B00.90600@nthpermutation.com>
Date: Sun, 26 Apr 2015 19:55:44 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Hugo Krawczyk <hugo@ee.technion.ac.il>
References: <4A5C6D8F-6A28-4374-AF1F-3B202738FB1D@ieca.com> <551DDD4E.5070509@nthpermutation.com> <F7F3EB83-FEA2-477C-8810-38C49B71C977@ieca.com> <551E290D.7020207@nthpermutation.com> <55381768.8010402@nthpermutation.com> <CACsn0cm5A50dP4JDKq9R0XdB83hyzPPLQHAMnUcXFb+DCSwV7g@mail.gmail.com> <55392B08.6020304@nthpermutation.com> <CADi0yUPTixoesXkgd=HYe_+ua_+=_UfcDBSndCgdh1usTzNpzQ@mail.gmail.com> <553D3572.6040408@nthpermutation.com> <CADi0yUOnsD0Sasq7dRTbRpUm9jTg-uf+vjkkpMCxxsKXH0kqMw@mail.gmail.com>
In-Reply-To: <CADi0yUOnsD0Sasq7dRTbRpUm9jTg-uf+vjkkpMCxxsKXH0kqMw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------040007020802020204080707"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/uQQkamzvys6_gxhPyc5MIw7R3GE>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] =?utf-8?q?confirming_the_room=E2=80=99s_consensus=3A_adopt_?= =?utf-8?q?HKDF_PRF_for_TLS_1=2E3?=
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Apr 2015 23:55:48 -0000

On 4/26/2015 4:20 PM, Hugo Krawczyk wrote:
>
>
>     All calls to HKDF *should* use a non-empty label and context
>     field, but that's tied more to the specific use than anything else.
>
>
> ​ Agreed. All calls to HKDF that produce cryptographic keys for use in 
> the protocol MUST use a non-empty label and context field and that's 
> what we do.

Some clarification here:


For HKDF as a generic function, I meant "SHOULD" in its normal meaning.  
Implementations of HKDF can permit a null label and context field and 
will get what they expect from that.

For HKDF as a the KDF for TLS, TLS will assign labels and associate 
contexts for specific usages and those are going to be non-null.

Mike