[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] PRF in TLS 1.2

To: tls@xxxxxxxx
Subject: Re: [TLS] PRF in TLS 1.2
From: Wan-Teh Chang <wtchang@xxxxxxxxxx>
Date: Tue, 26 Sep 2006 13:49:02 -0700
Cc:
In-reply-to: <86k6403hqq.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <450F222D.2020706@xxxxxxxxxx> <86k6403hqq.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxx>
User-agent: Thunderbird 2.0b1pre (Windows/20060922)

Eric Rescorla wrote:


Here's a summary of what was decided.

1. The default PRF is the TLS 1.1 PRF with a single hash algorithm
   and the entire key used as input to P_hash.


What's the rationale for defining the default TLS 1.2 PRF
to be similar to the TLS 1.1 PRF?

To allow developers to reuse as much of their TLS 1.0/1.1
implementation as possible?

"If it ain't broke, don't fix it"?

2. All current cipher suites will use SHA-1 in TLS 1.2.


Will using SHA-1 only result in a weaker PRF than the TLS 1.1 PRF,
which uses both MD5 and SHA-1?

3. New cipher suites will by default use the TLS 1.1 PRF with whatever
   hash they're using for HMAC.
4. New cipher suites can define a new PRF but it must use the same"API" as the TLS 1.1 PRF.


Is it required that the PRF use label and seed only in the form
of their concatenation label + seed?

This is roughly what's in the current I-D, except that I deleted

a crucial paragraph through sloppy editing. It should readapproximately:


	The PRF is derived from P_hash as:

	    PRF(secret, label, seed) = P_<hash>(secret, label + seed)

	Where <hash> is dependent on the cipher suite. For the
        cipher suites defined in this document it SHALL be SHA-1.
        For future cipher suites it SHALL be the hash used in
        the record HMAC unless otherwise specified in the cipher
        suite description.


Thanks.  When do you plan to publish a new version of the I-D?

Wan-Teh


_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] PRF in TLS 1.2
  - From: Eric Rescorla

References:
- [TLS] PRF in TLS 1.2
  - From: Wan-Teh Chang
- Re: [TLS] PRF in TLS 1.2
  - From: Eric Rescorla

Prev by Date: Re: [TLS] Use of SHA-0 versus SHA-1 in SSL v3.0 and TLS v1.0 and TLS v1.1
Next by Date: Re: [TLS] PRF in TLS 1.2
Previous by thread: Re: [TLS] PRF in TLS 1.2
Next by thread: Re: [TLS] PRF in TLS 1.2
Index(es):
- Date
- Thread