[TLS] Why is resumption_context hashed?

David Benjamin <davidben@chromium.org> Fri, 15 July 2016 10:39 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 1174312B050 for <tls@ietfa.amsl.com>; Fri, 15 Jul 2016 03:39:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.986
X-Spam-Status: No, score=-3.986 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 4nwzbSPeNYa4 for <tls@ietfa.amsl.com>; Fri, 15 Jul 2016 03:39:55 -0700 (PDT)
Received: from mail-io0-x230.google.com (mail-io0-x230.google.com [IPv6:2607:f8b0:4001:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE7D912DA60 for <tls@ietf.org>; Fri, 15 Jul 2016 03:39:54 -0700 (PDT)
Received: by mail-io0-x230.google.com with SMTP id b62so100474236iod.3 for <tls@ietf.org>; Fri, 15 Jul 2016 03:39:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=6Q2IN0/DeIXssu6RWwsHkqcEFq6m4qWImGreGYANNlk=; b=MiRAZizHTz83R6h7CGBXtYh/DxCcI0jC4nWus4UFVGxo978vqVQQ0CXMm21HtHWkNd rxu9oQfEjCUV0PugHYvXUCAbNDA9Ys0+YI02aif9HARbMzbaZ6pDEtjPsrT/g1T3+a/y eVD1zWFj1rkFlUy1jwKYryWGZbl8Hy7LaeuxY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=6Q2IN0/DeIXssu6RWwsHkqcEFq6m4qWImGreGYANNlk=; b=jf+5wR7kKx9CjjY2NY3nOA4Q3siz3uvDJuFVvEk46GvpBCb0UNjJlNneJgDE0Fxm21 B4q8TKQCb0XEiBbU+M6xO0Kwe48fu/iuON1LU7JcGZa/UM2FfJ1mCi4ldipiypp0SXoO SNU5K2qjfcZw/zSdh3APTlI1F8/focFU4VqtPQJzHpC1zfCMsE6a0FKH3zXWIYsbIuUC gWVsULv/36AiNz/qJCnvlovExnNd4ROGf1qQJPbGOqXWqyrBYK5RtCk13KVy6Ydmf8Zy yBBpAS/tSUOlauyxA24L+uyXEB7eF+VK99vwYBTbtqaZu+Hw/qhuzH312b+Dm9noc/bp Yr9g==
X-Gm-Message-State: ALyK8tLSWoLOH+b7w4pB5HeIIACU+qgZ50WWN/bHmBAVVhh0BGWKXh02c4C9PMjDcSOr47mYMW0v+XnUSeQ1ukh8
X-Received: by with SMTP id b127mr21177909ioa.6.1468579193876; Fri, 15 Jul 2016 03:39:53 -0700 (PDT)
MIME-Version: 1.0
From: David Benjamin <davidben@chromium.org>
Date: Fri, 15 Jul 2016 10:39:43 +0000
Message-ID: <CAF8qwaB8W20pwUk2bFo5854ZXmZ+mmprn4esc=L0v2r84XwdrA@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a11440f1c2d55a10537aa3d8d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/yKpsXDIfYBbd8BxYBr4mfyg1Jqc>
Subject: [TLS] Why is resumption_context hashed?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jul 2016 10:39:57 -0000

Every time resumption_context is used, it's fed into the PRF hash.
Handshake Context gets hashed since that actually expands to the full
concatenation and we want to be able to maintain a rolling hash.
But resumption_context is always a short value and is already the size of
the PRF hash. (If not resuming, it is the zero key, which is sized
appropriately. If resuming, it is the size of the PRF hash of the original
connection. But we require that resumptions use the same PRF, so that too
will be the right size.)

Was there some other reason we needed to hash it, or is a guarantee of
constant size sufficient to use it directly? If it still needs to be
hashed, it seems we ought to redefine resumption_context to be
Hash(HKDF-Expand-Label(...)) instead, mostly as a hint to implementors that
one may as well store the final value in the ticket.