[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] PRF in TLS 1.2

To: Wan-Teh Chang <wtchang@xxxxxxxxxx>
Subject: Re: [TLS] PRF in TLS 1.2
From: Eric Rescorla <ekr@xxxxxxxxxxxxxxxxxxxx>
Date: Mon, 18 Sep 2006 15:57:49 -0700
Cc: tls@xxxxxxxx
In-reply-to: <450F222D.2020706@xxxxxxxxxx> (Wan-Teh Chang's message of "Mon, 18 Sep 2006 15:48:13 -0700")
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <450F222D.2020706@xxxxxxxxxx>
Reply-to: EKR <ekr@xxxxxxxxxxxxxxxxxxxx>
User-agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)

Wan-Teh Chang <wtchang@xxxxxxxxxx> writes:

> Hi,
>
> Could someone please post a description of what was decided
> about the PRF in TLS 1.2 in the Montreal WG meeting?
>
> The only documents I can find on this topic are:
>
> - Slide 7 of Eric's presentation
>   (http://www3.ietf.org/proceedings/06jul/slides/tls-1.pdf)
>
> - Eric's TLS WG Summary
>    http://www1.ietf.org/mail-archive/web/tls/current/msg00698.html
>
> But I can't tell from the WG summary what was decided and whether
> the proposal in Slide 7 was accepted.

Here's a summary of what was decided.

1. The default PRF is the TLS 1.1 PRF with a single hash algorithm
   and the entire key used as input to P_hash. 
2. All current cipher suites will use SHA-1 in TLS 1.2.
3. New cipher suites will by default use the TLS 1.1 PRF with whatever
   hash they're using for HMAC.
4. New cipher suites can define a new PRF but it must use the same 
   "API" as the TLS 1.1 PRF.

This is roughly what's in the current I-D, except that I deleted
a crucial paragraph through sloppy editing. It should read 
approximately:

	The PRF is derived from P_hash as:

	    PRF(secret, label, seed) = P_<hash>(secret, label + seed)

	Where <hash> is dependent on the cipher suite. For the
        cipher suites defined in this document it SHALL be SHA-1.
        For future cipher suites it SHALL be the hash used in
        the record HMAC unless otherwise specified in the cipher
        suite description.

> I'd also like to know what new PRFs have been proposed, and who
> the proponents are.

The new PRFs that people seem interested in are:

1. The GOST PRF (draft-chudov-cryptopro-cptls-03.txt)
2. The FIPS 800-56A KDF.

-Ekr

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] PRF in TLS 1.2
  - From: Wan-Teh Chang
- Re: [TLS] PRF in TLS 1.2
  - From: Wan-Teh Chang

References:
- [TLS] PRF in TLS 1.2
  - From: Wan-Teh Chang

Prev by Date: [TLS] PRF in TLS 1.2
Next by Date: Re: [TLS] WGLC: draft-ietf-tls-psk-null-00
Previous by thread: [TLS] PRF in TLS 1.2
Next by thread: Re: [TLS] PRF in TLS 1.2
Index(es):
- Date
- Thread