Re: [TLS] draft-ietf-tls-exported-authenticator questions
Watson Ladd <watson@cloudflare.com> Thu, 20 July 2017 16:33 UTC
Return-Path: <watson@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5ABE1131A76 for <tls@ietfa.amsl.com>; Thu, 20 Jul 2017 09:33:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OIjGhxGKXSfv for <tls@ietfa.amsl.com>; Thu, 20 Jul 2017 09:33:42 -0700 (PDT)
Received: from mail-wr0-x231.google.com (mail-wr0-x231.google.com [IPv6:2a00:1450:400c:c0c::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23CF01318A3 for <tls@ietf.org>; Thu, 20 Jul 2017 09:33:42 -0700 (PDT)
Received: by mail-wr0-x231.google.com with SMTP id k71so19498272wrc.2 for <tls@ietf.org>; Thu, 20 Jul 2017 09:33:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=jOIONR+KcXHJffbqfCKXG1/fMkBw7PU+pblikw9ollg=; b=waNXHF3blTX6hbCtgcJQ8YSENT1uKh9FjugnxnURn3IAiQwsHhQqcIorFcBbAgqbxi VC/rGfxzy6BfIHcoM2lTPQqMuUT3UD5tWBROade4K+yRvRx++EVInVEdtTAhobs1MrMn 3gduAuujaWwM5onL4v7x6l6dT6mXhLuWA3Y7A=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=jOIONR+KcXHJffbqfCKXG1/fMkBw7PU+pblikw9ollg=; b=YftBZ4NLJPigOH498lqPip9NgkGayX7BXlOySSKF+Fi+2F5NsSIbnqwR/S1DPYtihd KR42g0M0vovdn3p8b5MrpiyrpgUMQXcVjNSZOBGIC5wLu92u+zwK/7oosiLm6msudZTI I4cQBE63a4Vjh38rTjLXHPv9gpEjBTP4H0m5f3kXSeTBDrdvIafHNV95bEg63vl0vq9z +gPmjO8azMqDh4H7vl0AfZrYucPg5f4iHRgOOYEuds9+PLbHs/rdjOBCMzkqpGBIJRbV o8jAvgrUWmbcXm9r410ayUYYeeBG5YwosDfHdBb4Ib8LwIWqKZ9sywd+aCCjJ0PSbWdj iRXg==
X-Gm-Message-State: AIVw113W0LFKROl4DGcXZF4oNx4/yzQWUPRamRnKMjAZmbG9nALlM0qh BPuT00FSXxKMSqwbcn/CyavaBpcfBY+i
X-Received: by 10.223.160.174 with SMTP id m43mr7061487wrm.194.1500568420705; Thu, 20 Jul 2017 09:33:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.28.234.22 with HTTP; Thu, 20 Jul 2017 09:33:40 -0700 (PDT)
In-Reply-To: <20170720070217.xvwmrd3ootvjr2fu@LK-Perkele-VII>
References: <D6717B12-60FE-4E08-812E-4C5FB1B908F6@sn3rd.com> <20170720070217.xvwmrd3ootvjr2fu@LK-Perkele-VII>
From: Watson Ladd <watson@cloudflare.com>
Date: Thu, 20 Jul 2017 09:33:40 -0700
Message-ID: <CAN2QdAHOc2+N6xCi6P3HX1D+UYiPWK7kOTmj8V9GSg_OjOqSgA@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: tls@ietf.org
Content-Type: multipart/alternative; boundary="001a114b56d6ada1230554c24f3f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/zCwqZC-ygzlrACjfXtT4mplASe8>
Subject: Re: [TLS] draft-ietf-tls-exported-authenticator questions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 16:33:44 -0000
On Thu, Jul 20, 2017 at 12:02 AM, Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > While reading/implementing draft-ietf-tls-exported-authenticator I came > across the following: > > 1) > > The exporter labels are the opposite way around for handshake > contexts and finished keys, which makes little sense. > > The text seems to imply that the finished key label the client > uses for sending is "EXPORTER-server authenticator finished key". > That is clearly bug. Thanks for commenting. > > 2) > > In TLS 1.2, even if TLS PRF is not used, the hash function that > absolutely must exist is called "the hash function to use in the > Finished message computation" or "the hash function defined for the > Finished message computation" (and if TLS PRF is used, this hash is > the same hash function as the one underlying TLS PRF). > > TLS 1.3 is less consistent: > > - "the Hash algorithm for the handshake" (4.4.4) > - "KDF hash algorithm" (4.6.1) > - "the cipher suite hash algorithm" (7.1) > - "the [...] hash algorithm to be used with HKDF" (B.4) > > ... All those apparently refer to one and the same thing. > > 3) > > What is the Hash() in > > "Hash(Handshake Context || Certificate)" and > "Hash(Handshake Context || Certificate || CertificateVerify)" > > ? > > I presume it is the same hash as the one took the output length of > in 2). > That is what I interpreted it as. > > 4) > > What is "the hash function from the handshake" exactly? I presume it > is the same hash as in 3). > It's sad that there is not a hash function determined by negotiation in TLS. What text would identify it? > > > 5) > > Test vectors would be nice (use some deterministic signature, like > Ed25519)... > > I have one set of vectors I dumped from my implementation, but no > idea if those are correct (for example, I assumed that the handshake > context and finished labels are the same way around, and the hash for > points 2 to 4 is the hash function defined for the Finished message > computation in the TLS connection the authenticator is to be created > from). > There is a site at leftshark.tls13.com that uses this extension. It hasn't been updated for the latest draft just yet > > > > -Ilari > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] GH repo location for draft-ietf-tls-exporte… Sean Turner
- [TLS] draft-ietf-tls-exported-authenticator quest… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-exported-authenticator q… Watson Ladd
- Re: [TLS] draft-ietf-tls-exported-authenticator q… Benjamin Kaduk
- Re: [TLS] draft-ietf-tls-exported-authenticator q… Watson Ladd
- Re: [TLS] draft-ietf-tls-exported-authenticator q… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-exported-authenticator q… Watson Ladd
- Re: [TLS] draft-ietf-tls-exported-authenticator q… Martin Thomson