Re: [TLS] Labels in the TLS 1.3 key schedule
Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 10 October 2017 08:21 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79B89134A58 for <tls@ietfa.amsl.com>; Tue, 10 Oct 2017 01:21:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nNA5V8LzGpBF for <tls@ietfa.amsl.com>; Tue, 10 Oct 2017 01:21:41 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9B73134A19 for <tls@ietf.org>; Tue, 10 Oct 2017 01:21:40 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id B96A15371B; Tue, 10 Oct 2017 11:21:36 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id wS1FUsxkOGfF; Tue, 10 Oct 2017 11:21:35 +0300 (EEST)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 93E80C4; Tue, 10 Oct 2017 11:21:33 +0300 (EEST)
Date: Tue, 10 Oct 2017 11:21:33 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Message-ID: <20171010082133.j4tk2epdijrfhawv@LK-Perkele-VII>
References: <CY4PR21MB012070DC2B0AD20603DBDD2F8C750@CY4PR21MB0120.namprd21.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CY4PR21MB012070DC2B0AD20603DBDD2F8C750@CY4PR21MB0120.namprd21.prod.outlook.com>
User-Agent: NeoMutt/20170609 (1.8.3)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/xCTimys1C2icGM7I05d4CejMyxY>
Subject: Re: [TLS] Labels in the TLS 1.3 key schedule
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Oct 2017 08:21:43 -0000
On Tue, Oct 10, 2017 at 01:22:11AM +0000, Andrei Popov wrote: > Sorry if I missed some text in the TLS 1.3 spec, but are the various > labels used in the key schedule ASCII and nul-terminated? The labels _are_ ASCII, but _not_ NUL-terminated. Instead, the labels have explicit length field. Constructing some examples of raw HKDF info blocks (for draft-21), I hope these are correct: Example 1) SHA-256, server handshake traffic secret: +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |00 20|12|ASCII(tls13 s hs traffic) | +--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+ | |20| Handshake hash up to and | +--+--+--+--+--+--+ + | including ServerHello | + +--+--+--+--+--+--+--+--+--+--+ | | +--+--+--+--+--+--+ Total 54 bytes, exactly fills one SHA-256 block after HKDF to HMAC lowering and SHA-256 padding (not a coincidence). The byte immediately before the boxed 0x20 contains ASCII 'c'. Example 2) SHA-384 client application traffic secret: +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |00 30|12|ASCII(tls13 c ap traffic) | +--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+ | |30| Handshake hash up to and | +--+--+--+--+--+--+ + | including ServerFinished | + + | | + +--+--+--+--+--+--+--+--+--+--+ | | +--+--+--+--+--+--+ Total 70 bytes, fits into one SHA-384 compression, even after lowering to HMAC and SHA-384 padding. The byte immediately before the boxed 0x30 contains ASCII 'c'. Example 3) SHA-256, the "derived" stages (which are just before injecting raw DHE result and just before injecting block of zeroes): +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |00 20|0d|ASCII(tls13 derived) | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |20|e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9| +--+ + |24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8| + +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |55| +--+ Total of 49 bytes. Note e3...55 is SHA-256 of empty input. Another place that uses similar construction is the per-exporter key derivation. Byte 15, immedately before boxed 20 contains ASCII 'd'. Example 4) SHA-384, traffic key update: +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |00 30|11|ASCII("tls13 traffic upd") | +--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+ | |00| +--+--+--+--+--+ Total of 21 bytes. Note, no hash of empty input, as this uses hkdf-expand-label as opposed to derive-secret. The byte immediately before boxed 0x20 contains ASCII 'd'. Example 5) SHA-256, inner exporter derivation for label "EXPORTER: teap session key seed": +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |00 20|25|ASCII(tls13 EXPORTER: teap session key| +--+--+--+ + | seed) | + +--+--+--+--+--+--+--+--+ | |20|e3 b0 c4 42 98 fc 1c| +--+--+--+--+--+--+--+--+--+ + |14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93| + +--+--+--+--+--+--+--+ |4c a4 95 99 1b 78 52 b8 55| +--+--+--+--+--+--+--+--+--+ Total of 73 bytes. Note, this blows SHA-256 block (this exporter inner hash is the only place in current spec that might blow out SHA-256 block, However, if another hash function is defined, that might have its block blown in other places too). The byte immedately before the boxed 0x20 contains ASCII 'd'. Also note that the way the label is split, there is a space between words "key" and "seed". Without the empty hash, this would blow blocks less (e.g., would not blow with this example label), but still could blow them, as the maximum label is 249 bytes, giving 259+<hashoutputlen> byte raw info block, which exceeds the blocksize of any known hash function). Example 6) SHA-384, deriving IV for Chacha20-Poly1305: +--+--+--+--+--+--+--+--+--+--+--+--+ |00 0c|08|ASCII(tls13 iv) |00| +--+--+--+--+--+--+--+--+--+--+--+--+ Total of 12 bytes (this is the shortest of these blocks). The output is truncated to 12 bytes. The byte immedately before the boxed 0x00 contains ASCII 'v'. Example 7) SHA-256, final exporter derivation step for 64-byte output (exporter label is not material): +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |00 40|0E|ASCII(tls13 exporter) | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | |00| +--+--+ Note that HKDF lowers into HMAC two times here, since there is 33 to 64 bytes of output, but SHA-256 only produces 32 bytes of output. The empty box in the last row contains ASCI 'r', as the label overflows to byte 16. -Ilari
- [TLS] Labels in the TLS 1.3 key schedule Andrei Popov
- Re: [TLS] Labels in the TLS 1.3 key schedule Ilari Liusvaara
- Re: [TLS] Labels in the TLS 1.3 key schedule Martin Thomson
- Re: [TLS] Labels in the TLS 1.3 key schedule Andrei Popov