Re: [TLS] Working group last call on draft-ietf-tls-extractor-03

To: "Joseph Salowey (jsalowey)" <jsalowey at cisco.com>
Subject: Re: [TLS] Working group last call on draft-ietf-tls-extractor-03
From: "Hugo Krawczyk" <hugo at ee.technion.ac.il>
Date: Thu, 6 Nov 2008 14:45:16 -0500
Cc: tls at ietf.org
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:cc:in-reply-to:mime-version:content-type:references :x-google-sender-auth; bh=SwOoTS0LJYObmouheJrCgIK9+/Ffs143NAEYGr/z9Ms=; b=gwlVmffi3WGQha8/CQWKBY/sB1UD/z/gMyodDj+Emgt5aeBDyCQnLLPgwk2dMUzLnP qSbRQZEtsbILHHIUT4AKzrdfpBoh54HsDzvur0ZnRo43WI1AZVm9EUwPxCtKy/iupuCp vfKAKEGjxXVIgjFua/H1L+kyxb/u494LftOhI=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version :content-type:references:x-google-sender-auth; b=k2QGJPl52yZrL7tTkhV5I7lBvFsdUeBglbc8actJQt3y52LyiVBsL16s/p70/C2rRQ UE465A3Kwu48A0xehFFE5Yk2iFycWyAn9WOx8WFV4BHbmPLFnKTwK50Xh1uwK0OiONXg 5tQ8CAEIadewwrhqIv3j4+cLzXEVOJp50hP0o=
In-reply-to: <AC1CFD94F59A264488DC2BEC3E890DE506D9DCB7 at xmb-sjc-225.amer.cisco.com>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <AC1CFD94F59A264488DC2BEC3E890DE506D9DCB7 at xmb-sjc-225.amer.cisco.com>
Sender: tls-bounces at ietf.org

Hi,

I have a single "objection" to this document, namely, the use of the word "extractor". Let me explain.

In the context of key derivation functions the notion of extraction refers to a first phase where one starts with a somewhat weak source of randomness (such as an imperfect RNG, a Diffie-Hellman value, etc) and extracts a first cryptographically strong key K.

In a second phase, often called key expansion, one derives multiple keys out of this K using a PRF exactly as the current document specifies. Since master_secret is assumed to already be a cryptographically strong key, then this specification is sound and correct (especially that it includes the essential context information).

Thus I would like to see the name "extraction" changed into "expansion" or even "key derivation" to avoid adding confusion in the field.

I would agree that in this application "expansion" may not be the most representative qualifier so maybe the more genric "key derivation" terminology could be used. Yet, personally, I would prefer to keep key derivation for the whole process of extraction and expansion (which includes, for example, the initial creation of master_secret in TLS plus the derivation of further keys),

Other names could be possible. I am sure that Eric (or some other people in the list) can come with creative names.

If not, please use key derivation and not key extraction.

Hugo

PS: I have written a detailed paper on the functionalities of key extraction and key expansion.

http://www.ee.technion.ac.il/~hugo/kdf/kdf.pdf

The focus of the paper is mainly key extraction since it is the more challenging part from a technical point of view. For those interested in the differentiation between "extraction" and "expansion" reading the introduction may be sufficient. The more theoretically-oriented can find value in the security definitions in the appendix which capture, for example, the security considerations in this draft including the independence/indistinguishability requirement under different (or even adversarially-chosen) context labels.

On Thu, Nov 6, 2008 at 1:16 PM, Joseph Salowey (jsalowey) <jsalowey at cisco.com> wrote:

This is a working group last call for review of the
draft-ietf-tls-extractor-03. The last call will last until December 4,
2008, but it would be most useful if comments were received before the
TLS session at the IETF meeting in Minneapolis on November 20, 2008.
This will allow us to discuss issues in the meeting and resolve them in
a timely fashion.

The document is available here:

http://tools.ietf.org/html/draft-ietf-tls-extractor-03

Thanks,

Joe
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

References:
- [TLS] Working group last call on draft-ietf-tls-extractor-03
  - From: Joseph Salowey (jsalowey)

Prev by Date: Re: [TLS] draft-ietf-tls-extractor-03
Next by Date: Re: [TLS] Working group last call on draft-ietf-tls-extractor-03
Previous by thread: [TLS] Working group last call on draft-ietf-tls-extractor-03
Next by thread: Re: [TLS] Working group last call on draft-ietf-tls-extractor-03
Index(es):
- Date
- Thread

Re: [TLS] Working group last call on draft-ietf-tls-extractor-03

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.