Re: [TLS] Constraining ECH to HKDF-based HPKE ciphersuites

2020-08-17 Thread Christopher Patton
I worked out this suggestion into a PR: https://github.com/tlswg/draft-ietf-tls-esni/pull/276 Please have a look! Chris P. On Mon, Aug 17, 2020 at 4:28 PM Martin Thomson wrote: > > > On Tue, Aug 18, 2020, at 09:04, Christopher Patton wrote: > > Just to be clear, you're proposing something like

Re: [TLS] Constraining ECH to HKDF-based HPKE ciphersuites

2020-08-17 Thread Martin Thomson
On Tue, Aug 18, 2020, at 09:04, Christopher Patton wrote: > Just to be clear, you're proposing something like this? Referring to > the KDF API called for in draft-irtf-cfrg-hpke-05: > > config_digest = Expand(PRK=Extract("some_salt", "some_label", > IKM=config), "some_info", 16) > It's maybe

Re: [TLS] Constraining ECH to HKDF-based HPKE ciphersuites

2020-08-17 Thread Christopher Wood
On Mon, Aug 17, 2020, at 3:30 PM, Martin Thomson wrote: > > > On Tue, Aug 18, 2020, at 07:55, Christopher Patton wrote: > > Hi Martin, > > > > > Or maybe just running the HPKE KDF with a fixed input. > > Do you mean something like this? Let `config_digest = KDF.extract("some > > salt", "some

Re: [TLS] Constraining ECH to HKDF-based HPKE ciphersuites

2020-08-17 Thread Christopher Patton
Just to be clear, you're proposing something like this? Referring to the KDF API called for in draft-irtf-cfrg-hpke-05: config_digest = Expand(PRK=Extract("some_salt", "some_label", IKM=config), "some_info", 16) It's maybe more hashing than necessary, but I'd be good with this. Chris P.

Re: [TLS] Constraining ECH to HKDF-based HPKE ciphersuites

2020-08-17 Thread Martin Thomson
On Tue, Aug 18, 2020, at 07:55, Christopher Patton wrote: > Hi Martin, > > > Or maybe just running the HPKE KDF with a fixed input. > Do you mean something like this? Let `config_digest = KDF.extract("some > salt", "some label", config)`, where `config` is the ECH configuration? Sure. I

Re: [TLS] Constraining ECH to HKDF-based HPKE ciphersuites

2020-08-17 Thread Christopher Patton
Hi Martin, > Or maybe just running the HPKE KDF with a fixed input. Do you mean something like this? Let `config_digest = KDF.extract("some salt", "some label", config)`, where `config` is the ECH configuration? Unless I've missed something critical, you don't need any sort of preimage >

Re: [TLS] Constraining ECH to HKDF-based HPKE ciphersuites

2020-08-17 Thread Martin Thomson
On Tue, Aug 18, 2020, at 07:09, Christopher Wood wrote: > HPKE recently removed the Hash() interface from the KDF, which means we > need to either (a) change how the config_digest (formerly > record_digest) is computed, or (b) constrain ECH to HKDF-based HPKE > ciphersuites. This PR takes

[TLS] Constraining ECH to HKDF-based HPKE ciphersuites

2020-08-17 Thread Christopher Wood
HPKE recently removed the Hash() interface from the KDF, which means we need to either (a) change how the config_digest (formerly record_digest) is computed, or (b) constrain ECH to HKDF-based HPKE ciphersuites. This PR takes approach (b):