Re: [TLS] PRF digest function for ChaCha20-Poly1305 cipher suites

Eric Rescorla <ekr@rtfm.com> Mon, 21 December 2015 02:10 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F4931A8755 for <tls@ietfa.amsl.com>; Sun, 20 Dec 2015 18:10:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o5XT9CyAbkuW for <tls@ietfa.amsl.com>; Sun, 20 Dec 2015 18:10:00 -0800 (PST)
Received: from mail-yk0-x22c.google.com (mail-yk0-x22c.google.com [IPv6:2607:f8b0:4002:c07::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B922D1A8759 for <tls@ietf.org>; Sun, 20 Dec 2015 18:09:59 -0800 (PST)
Received: by mail-yk0-x22c.google.com with SMTP id 140so117468933ykp.0 for <tls@ietf.org>; Sun, 20 Dec 2015 18:09:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=vly9pFjhHXBD+VCJNzd9hsjN1H3yMVAQfoEqoBxzGVQ=; b=wd1zErN298YnaeRZmyTQWH7uCfe1yWLQ/qyvDZCv/+jWn2gsgQGAP8HoALeB+KMPfQ nwptoeMLJMRQ88ZIyjm4B0GyqXuVdq5JG5JL5F2lVNuCQ7zrVbITw5BTkvoLB/p1N7RE bIV2WGhznWW0nQd7HytssLOR4ZAsm65rrO2WO17tDiixEXp7l6YlOcyQiqAVKeXn56OY iSNJ3ad221DpqvqpB9aQUzVpRxQdOgcvNsbz8gY71sZJ7/VdrBoOQ9SIRUWUBUGMC0QO fDDhZoKjgQI0s76ZTyhjqzJkZIICOoSFkZb3TumbJHePAZDsmTu8muel342UkBxOs+ws Mqlg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=vly9pFjhHXBD+VCJNzd9hsjN1H3yMVAQfoEqoBxzGVQ=; b=LYGolEew8lOz/xslYeleqzLGzOi4Mx3uNqq1zVsqOm1YpQJHBs+5H5yH7GgS8Dh+PO 8BgonHNXUKnVcuCysHbyagTi0v1jW4aeFDy27Xwuv+84XxXqOLtHL0hDyn/ttLJh46Cc TtiLs7tbEC/T/POVh9IdGiIrKgxYkarxn8OGvaZwEE4O9IGUCAB/E5whKaFUJVp59qMm QroC8Z7ye+EROAbeBnEReu7pVMRs7IQ4lEjdQn3ZB0Ev39jE0SBT1w7ki/OOhIlSQSxj gTNdxjqPF4JmgYEOjYALTyh/PD+Ru4HIo9jrP6PpAtclPofb+/CG5ybcZOB70LXAUdBM GaQw==
X-Gm-Message-State: ALoCoQn50fnr0n89MUUAwMAejegl20/1fOZjhWcOMOkjuWsWiZpnaBu+v8qQkydGrQwN3MWmzrrDUdaS0h/AZhXNotabhoQDNw==
X-Received: by 10.129.148.3 with SMTP id l3mr12878765ywg.155.1450663799055; Sun, 20 Dec 2015 18:09:59 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.249.197 with HTTP; Sun, 20 Dec 2015 18:09:19 -0800 (PST)
In-Reply-To: <CAFewVt6KptT9B2Oe0t7XRzZDGsYRUsLapm-MHJjg-zfJ1UqrOw@mail.gmail.com>
References: <CAFewVt6=ztWUs-i5EvGaFE=_r_UgHsr_KsOwFyX+ngx6_J-tnA@mail.gmail.com> <CAFewVt7G3FVEyapwL=GE=fZ2HFaaJEYQv0rp-GmA_EdkhyQx=w@mail.gmail.com> <CAMfhd9WV=VPECOJG30cskeFtUkfGN3BM5S-n6ctCXFkW2-38jw@mail.gmail.com> <CAFewVt5aNfUyts=OvDnhXoYA5xerpYsdoLiSmEHDEDHhqAsPDQ@mail.gmail.com> <CABcZeBOqj5kYfSGhqEdT6ojCVyjF6xXbquU2nPtRok2jj1+BcA@mail.gmail.com> <CAFewVt6KptT9B2Oe0t7XRzZDGsYRUsLapm-MHJjg-zfJ1UqrOw@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 20 Dec 2015 18:09:19 -0800
Message-ID: <CABcZeBMTCrxzGkTFqqwNrCaK6tcFQ+q9h2qRSY9dW9XRvTxnzw@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Content-Type: multipart/alternative; boundary="94eb2c07c8bc6e99d305275efcaf"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/zpWSbjZMyQOQmm2_DU4NrpmmudA>
Cc: Adam Langley <agl@imperialviolet.org>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] PRF digest function for ChaCha20-Poly1305 cipher suites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Dec 2015 02:10:01 -0000

On Sun, Dec 20, 2015 at 5:50 PM, Brian Smith <brian@briansmith.org> wrote:

> Eric Rescorla <ekr@rtfm.com> wrote:
>
>> On Sun, Dec 20, 2015 at 5:13 PM, Brian Smith <brian@briansmith.org>
>> wrote:
>>
>>> Adam Langley <agl@imperialviolet.org> wrote:
>>>
>>>> On Fri, Dec 18, 2015 at 1:43 PM, Brian Smith <brian@briansmith.org>
>>>> wrote:
>>>> > That is, it seems it would be better to use HKDF-SHA512 instead of
>>>> > **HKDF-SHA256**.
>>>>
>>>> I assume that you mean for TLS 1.3 since you mention HKDF?
>>>
>>>
>>> No, I mean for all versions of TLS.
>>>
>>
>> Do you mean using SHA-512 in the TLS 1.2 PRF? Or something else?
>>
>
> Yes, for TLS 1.2 and TLS 1.3.
>

Sorry, I'm still confused TLS 1.2 uses a specific PRF. TLS 1.3 uses HKDF.
Are you suggesting TLS 1.2 use the TLS 1.2 PRF with SHA-512 and that
TLS 1.2 use SHA-512 with HKDF, or something different?



> The MTI cipher suites for TLS 1.2 and 1.3 require SHA-256 and
>> All the AES-GCM ciphers already require SHA-256 or SHA-384, so it
>> seems like the vast majority of implementations are going to require at
>> least one of these algorithms in any case.
>>
>
> Nobody should pay attention to what the MTI cipher suite for TLS 1.2 is,
> because it's obsolete; in fact, one would be making a huge mistake to
> deploy it now if one's application didn't have legacy backward
> compatibility concerns. And, we should change the MTI cipher suite for TLS
> 1.3 to the ChaCha20-Poly1305 ones, because they solve a lot of problems.
> For example, they remove any question of any need to implement rekeying,
> they avoid the weird IV construction hacks that are necessary for 128-bit
> cipher suites like AES-GCM, and they can be implemented efficiently in a
> safe way, unlike AES-GCM.
>

This seems like a separate question.

SHA-256-using cipher suites are widely deployed and not going away any time
soon,
so what resource are you trying to conserve here?

-Ekr