On Thu, Feb 9, 2017 at 4:15 PM, Eric Rescorla <e...@rtfm.com> wrote: > I've just posted a pull request which slightly adjusts the structure of > key derivation. > PR#875 adds another Derive-Secret stage to the left side of the key ladder > between each pair of HKDF-Extracts. There are two reasons for this: > > - Address a potential issue raised by Trevor Perrin where an attacker > somehow forces the IKM value to match the label value for Derive-Secret, > in which case the output of HKDF-Extract would match the derived secret. > This doesn't seem like it should be possible for any of the DH variants > we are using, and it's not clear that it would lead to any concrete > attack, but in the interest of cleanliness, it seemed good to address. > > - Restore Extract/Expand parity which gives us some flexibility in > case we want to replace HKDF. >
I want to stress, also as advise for future uses of HKDF, that a recommended practice for HKDF is to always follow HKDF-extract with HKDF-expand. That's how HKDF is defined and departing from it should be done with utmost care. The issue raised by Trevor is an example of such subtleties. In particular, note that HKDF-Extract does not carry a "info" input while HKDF-Expand does, and such field is almost always essential for key separation and to tie derived keys to some particular context. Hugo > I don't expect this change to be controversial and I'll merge it on Monday > unless I hear objections. > > Thanks, > -Ekr > > > > > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
