Re: [TLS] PR#875: Additional Derive-Secret Stage
John Schanck <jschanck@uwaterloo.ca> Fri, 10 February 2017 16:04 UTC
Return-Path: <jschanck@uwaterloo.ca>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63CD0129A27 for <tls@ietfa.amsl.com>; Fri, 10 Feb 2017 08:04:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DoQveGrsKynC for <tls@ietfa.amsl.com>; Fri, 10 Feb 2017 08:04:36 -0800 (PST)
Received: from minos.uwaterloo.ca (minos.uwaterloo.ca [129.97.128.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBE22129A26 for <tls@ietf.org>; Fri, 10 Feb 2017 08:04:35 -0800 (PST)
Received: from localhost (jschanck.iqc.uwaterloo.ca [129.97.40.236]) (authenticated bits=0) by minos.uwaterloo.ca (8.14.4/8.14.4) with ESMTP id v1AG4XOL007886 (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Fri, 10 Feb 2017 11:04:33 -0500
Date: Fri, 10 Feb 2017 11:04:33 -0500
From: John Schanck <jschanck@uwaterloo.ca>
To: Martin Thomson <martin.thomson@gmail.com>
Message-ID: <20170210160432.o7izhdybswufv2vu@xyphr>
References: <CABcZeBNLWG5ORRJ0cAVpG7H9w6q7kXS_O9PFQSeNOheLG+nyMA@mail.gmail.com> <CABkgnnVXF85PqNnMxPC3C8HHtqQR00wAXf8jsAUudv3mFdKWFA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABkgnnVXF85PqNnMxPC3C8HHtqQR00wAXf8jsAUudv3mFdKWFA@mail.gmail.com>
User-Agent: NeoMutt/20170113 (1.7.2)
X-UUID: 4e0f3993-b1cb-46b0-9b89-e689fed397cb
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/v2eEQRrNZxCmWlp2qjjIqc3sEk8>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] PR#875: Additional Derive-Secret Stage
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2017 16:04:37 -0000
Martin Thomson wrote: > This is a good idea. +1 > Just to highlight this point: if we need to add a PQ key exchange, > there is no guarantee that it will have exactly the same properties as > the key exchange methods we have today. I expect that need to arise > relatively soon, so that's an extra good reason to make this change. For the same reason, I think the labels for these new Derive-Secret calls should anticipate extensions that provide additional input secrets. This PR specifies labels for the PSK and (EC)DHE inputs Derive-Secret(., "derived early secret", "") Derive-Secret(., "derived handshake secret", ""), but the draft seems to allow arbitrarily many input secrets. Just above the diagram it says "Given a set of n InputSecrets, the final "master secret" is computed by iteratively invoking HKDF-Extract with InputSecret_1, InputSecret_2, etc." So we might want the labels in the new Derive-Secret calls to indicate which InputSecret is being incorporated, e.g. Derive-Secret(., "derived secret 1", "") Derive-Secret(., "derived secret 2", "") Derive-Secret(., "derived secret 3", "") etc. I should also note that the draft does not specify how an extension would produce an additional input secret. So, alternatively, we could just strike out the "Given a set of n InputSecrets" line. I personally think there should be a way for extensions to provide additional input secrets. I can submit a PR along those lines if there is interest. -John
- [TLS] PR#875: Additional Derive-Secret Stage Eric Rescorla
- Re: [TLS] PR#875: Additional Derive-Secret Stage Martin Thomson
- Re: [TLS] PR#875: Additional Derive-Secret Stage John Schanck
- Re: [TLS] PR#875: Additional Derive-Secret Stage Hugo Krawczyk