IETF Logo Mail Archive

Re: [TLS] PRF digest function for ChaCha20-Poly1305 cipher suites

Eric Rescorla <ekr@rtfm.com> Mon, 21 December 2015 01:42 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A58F1A016A for <tls@ietfa.amsl.com>; Sun, 20 Dec 2015 17:42:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZxCIUIuv8KPf for <tls@ietfa.amsl.com>; Sun, 20 Dec 2015 17:42:12 -0800 (PST)
Received: from mail-yk0-x22d.google.com (mail-yk0-x22d.google.com [IPv6:2607:f8b0:4002:c07::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 425601A0110 for <tls@ietf.org>; Sun, 20 Dec 2015 17:42:12 -0800 (PST)
Received: by mail-yk0-x22d.google.com with SMTP id 140so117051296ykp.0 for <tls@ietf.org>; Sun, 20 Dec 2015 17:42:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=jatP1gqXFCLigm5thvehCdPoVYuLb7qPT810VELLP+M=; b=F43k+ISiyX7TU97PzFuIXzpFSlOXY3GIeKZLR1668C14U4mCKeOmOvqeu9OsTc5xBY beoRpZ3i9uGghVp6tJ6RFfeHPSsdnsLn3Mj7dKoAUuSugBL61Wc8i6+E8Q7PhtfhqXZH 3HHx3usInn56S101BNk1MGm8csvLXpmqCdikuj5RPwnUVQmSYMYafBRWiHDYbsZ1PP5Q Wt+xJ0CGLqERK4hZLhiccaei1Z7K3pC2+MGmMk5cPL+jNczqRya9oC2s2bFdZswlIU55 2KBr00Q9wkJ9RkS5yp+HsggTNh8AU3LYyFGE3Xu81HWuYbKclpdoB0MMwaCEuy63SnkT tl7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=jatP1gqXFCLigm5thvehCdPoVYuLb7qPT810VELLP+M=; b=mqshSMw6406uqX4BaIRjja/ZGZcLRrN+P+8b+aJT2eQoYbuLK6ikNQHAQHWlCwct3X BUdoqKqWEWzkGRxyNmcZ6va1VGYNGlc3USCyle6sgpU0DX/cC2gDwDaJfi8nZrzUAyva DblcZOzOrDZGveEzxAWpf/ruOvgHYyymPAwIa+RkwEJcl7pG8NJ8yA8hCVDQj3RPE84u 8DTn0N03DDpADm7DVFKOBdXUcj4YWB9bqLRS7ZBCgvkMVI4SPC+ykgTIQVz4t8fAgRuK OpJzChI+Qy1kgNFs/BZhL9NCUwKqQk+B+OB+fKhcI1CAZ3XyM1+V1h5B4t9w1oOrO1Wv 3akQ==
X-Gm-Message-State: ALoCoQmnoYEwxJ3R6ZCRT8Y8+vuebF+rugcUJs0zWgBK/8S9zrZERRWwAlEYrLFDyam0sQ9Enc+D//noldTPeMZJSojMyLhS1Q==
X-Received: by 10.129.79.87 with SMTP id d84mr12443613ywb.115.1450662131549; Sun, 20 Dec 2015 17:42:11 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.249.197 with HTTP; Sun, 20 Dec 2015 17:41:32 -0800 (PST)
In-Reply-To: <CAFewVt5aNfUyts=OvDnhXoYA5xerpYsdoLiSmEHDEDHhqAsPDQ@mail.gmail.com>
References: <CAFewVt6=ztWUs-i5EvGaFE=_r_UgHsr_KsOwFyX+ngx6_J-tnA@mail.gmail.com> <CAFewVt7G3FVEyapwL=GE=fZ2HFaaJEYQv0rp-GmA_EdkhyQx=w@mail.gmail.com> <CAMfhd9WV=VPECOJG30cskeFtUkfGN3BM5S-n6ctCXFkW2-38jw@mail.gmail.com> <CAFewVt5aNfUyts=OvDnhXoYA5xerpYsdoLiSmEHDEDHhqAsPDQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 20 Dec 2015 17:41:32 -0800
Message-ID: <CABcZeBOqj5kYfSGhqEdT6ojCVyjF6xXbquU2nPtRok2jj1+BcA@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Content-Type: multipart/alternative; boundary="001a114dc3600a7ada05275e99a4"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/z1hFphWpeeFhnts1sjovPvZzVko>
Cc: Adam Langley <agl@imperialviolet.org>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] PRF digest function for ChaCha20-Poly1305 cipher suites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Dec 2015 01:42:13 -0000

On Sun, Dec 20, 2015 at 5:13 PM, Brian Smith <brian@briansmith.org> wrote:

> Adam Langley <agl@imperialviolet.org> wrote:
>
>> On Fri, Dec 18, 2015 at 1:43 PM, Brian Smith <brian@briansmith.org>
>> wrote:
>> > That is, it seems it would be better to use HKDF-SHA512 instead of
>> > **HKDF-SHA256**.
>>
>> I assume that you mean for TLS 1.3 since you mention HKDF?
>
>
> No, I mean for all versions of TLS.
>

Do you mean using SHA-512 in the TLS 1.2 PRF? Or something else?



> So, the current code points are probably SHA-256 now. I don't object
>> to adding more if people want SHA-384 too. Although, since the hash
>> function is only used in key derivation with these cipher suites,
>
>
> I don't think it would be a good idea to add more code points to negotiate
> SHA-512 in the PRF while still leaving code points for negotiating SHA-256
> in the PRF. It should be one or the other.
>
>
>> I'm
>> not sure that a slower, software implementation of SHA-256 would be a
>> big problem.
>
>
> It just seems really unfortunate to mandate SHA-512 for Ed25519 and then
> mandate SHA-256 for ChaCha20-Poly1305 in TLS. Mandating the same algorithm
> for both seems like a better idea.
>

Can you explain what resource you're trying to conserve here?

The MTI cipher suites for TLS 1.2 and 1.3 require SHA-256 and
All the AES-GCM ciphers already require SHA-256 or SHA-384, so it
seems like the vast majority of implementations are going to require at
least one of these algorithms in any case.

-Ekr

v2.23.0 | Report a Bug | By Email