IETF Logo Mail Archive

Re: [TLS] PR#875: Additional Derive-Secret Stage

John Schanck <jschanck@uwaterloo.ca> Fri, 10 February 2017 16:04 UTC

Return-Path: <jschanck@uwaterloo.ca>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63CD0129A27 for <tls@ietfa.amsl.com>; Fri, 10 Feb 2017 08:04:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DoQveGrsKynC for <tls@ietfa.amsl.com>; Fri, 10 Feb 2017 08:04:36 -0800 (PST)
Received: from minos.uwaterloo.ca (minos.uwaterloo.ca [129.97.128.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBE22129A26 for <tls@ietf.org>; Fri, 10 Feb 2017 08:04:35 -0800 (PST)
Received: from localhost (jschanck.iqc.uwaterloo.ca [129.97.40.236]) (authenticated bits=0) by minos.uwaterloo.ca (8.14.4/8.14.4) with ESMTP id v1AG4XOL007886 (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Fri, 10 Feb 2017 11:04:33 -0500
Date: Fri, 10 Feb 2017 11:04:33 -0500
From: John Schanck <jschanck@uwaterloo.ca>
To: Martin Thomson <martin.thomson@gmail.com>
Message-ID: <20170210160432.o7izhdybswufv2vu@xyphr>
References: <CABcZeBNLWG5ORRJ0cAVpG7H9w6q7kXS_O9PFQSeNOheLG+nyMA@mail.gmail.com> <CABkgnnVXF85PqNnMxPC3C8HHtqQR00wAXf8jsAUudv3mFdKWFA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABkgnnVXF85PqNnMxPC3C8HHtqQR00wAXf8jsAUudv3mFdKWFA@mail.gmail.com>
User-Agent: NeoMutt/20170113 (1.7.2)
X-UUID: 4e0f3993-b1cb-46b0-9b89-e689fed397cb
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/v2eEQRrNZxCmWlp2qjjIqc3sEk8>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] PR#875: Additional Derive-Secret Stage
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2017 16:04:37 -0000

Martin Thomson wrote:
> This is a good idea.

+1

> Just to highlight this point: if we need to add a PQ key exchange,
> there is no guarantee that it will have exactly the same properties as
> the key exchange methods we have today.  I expect that need to arise
> relatively soon, so that's an extra good reason to make this change.

For the same reason, I think the labels for these new Derive-Secret
calls should anticipate extensions that provide additional input
secrets.

This PR specifies labels for the PSK and (EC)DHE inputs

  Derive-Secret(., "derived early secret", "")
  Derive-Secret(., "derived handshake secret", ""),

but the draft seems to allow arbitrarily many input secrets. Just above
the diagram it says

"Given a set of n InputSecrets, the final "master secret" is computed
 by iteratively invoking HKDF-Extract with InputSecret_1, InputSecret_2,
 etc."

So we might want the labels in the new Derive-Secret calls to indicate
which InputSecret is being incorporated, e.g.

  Derive-Secret(., "derived secret 1", "")
  Derive-Secret(., "derived secret 2", "")
  Derive-Secret(., "derived secret 3", "")
  etc.

I should also note that the draft does not specify how an extension
would produce an additional input secret. So, alternatively, we could
just strike out the "Given a set of n InputSecrets" line.

I personally think there should be a way for extensions to provide
additional input secrets. I can submit a PR along those lines if
there is interest.


-John

v2.23.0 | Report a Bug | By Email