Re: [TLS] PRF in 1.3

mrex@sap.com (Martin Rex) Thu, 31 July 2014 16:23 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A40D21A0194 for <tls@ietfa.amsl.com>; Thu, 31 Jul 2014 09:23:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.552
X-Spam-Level:
X-Spam-Status: No, score=-6.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tFf2Jnh1jvVS for <tls@ietfa.amsl.com>; Thu, 31 Jul 2014 09:23:38 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 2C4F41A0180 for <tls@ietf.org>; Thu, 31 Jul 2014 09:23:37 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id s6VGMmqM016462 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 31 Jul 2014 18:22:48 +0200 (MEST)
In-Reply-To: <201407281624.10986.davemgarrett@gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>
Date: Thu, 31 Jul 2014 18:22:47 +0200 (CEST)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20140731162247.6D6301ADDA@ld9781.wdf.sap.corp>
From: mrex@sap.com (Martin Rex)
X-SAP: out
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/uRjTRatq-ivUGDZaftmF4cGqnzI
Cc: tls@ietf.org
Subject: Re: [TLS] PRF in 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Jul 2014 16:23:40 -0000

Dave Garrett wrote:
>
> https://github.com/tlswg/tls13-spec/issues/26
> 
> Issue #26 notes complication with the usage of a negotiable PRF. The
> current suggestion mentioned was to consider removing PRF
> negotiation in favor of SHA-256, calling it "good enough" until the next
> protocol version.

The PRF was already negotiable (i.e. depending on the cipher suite)
in TLSv1.0.  While this isn't spelled out in the TLSv1.0 spec, it
is clear from the TLS WG discussions about TLSv1.0 and there is
nothing in the TLSv1.0 spec that precludes it.

There are implementations in active use with GOST-based TLS cipher suites,
which replace the TLS PRF (and the hashes used within), and this is
used with TLSv1.0.  The I-D describing the cipher suites has never been
completed, though:
   http://tools.ietf.org/html/draft-chudov-cryptopro-cptls-04

and there also exist no code point assignments in the TLS registry,
so using this with TLSv1.2 is not possible (only TLSv1.0 and TLSv1.1).

The GOST signature algorithms described in that I-D have also been
superseded by more recent ones, but there currently is no description
for those either.

Our TLS (v1.0) implementation contains a plugin interface which can
replace the TLS PRF, just like Microsoft Windows XP(!) has such an
interface.  AFAIK, OpenSSL 1.0.0 also had support for GOST ciphersuites
from the above draft.


-Martin