[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ietf-tls
Subject:    Re: [TLS] HKDF
From:       Dave Garrett <davemgarrett () gmail ! com>
Date:       2015-03-23 20:15:26
Message-ID: 201503231615.26528.davemgarrett () gmail ! com
[Download RAW message or body]

On Monday, March 23, 2015 10:19:59 am Eric Rescorla wrote:
> As I mentioned in a previous message [0] during the interim we discussed
> moving from the TLS PRF to HKDF [RFC5869].
> 
> The general sentiment was:
> 
> - Move to HKDF
> - Specify both SHA-256 and SHA-384 (the latter being required for
> Suite B)
> 
> This is also the time when we would want to look at adjusting
> the key expansion to separate keys and IVs (assuming we still
> have IVs).
> 
> Please use this thread to discuss this topic.
> 
> -Ekr
> 
> [0] https://www.ietf.org/mail-archive/web/tls/current/msg15621.html

Adding support for SHA-3 hashes seems like a good idea at this point.

There's also issue #26 [1] which proposed picking a one-true-hash. I also proposed a \
SHA2+SHA3 construct as a possible route, which was briefly discussed [2]. (construct \
TBD by CFRG) The basic premise of a combined hash in this instance is to provide a \
better guarantee of security if either SHA-2 or SHA-3 were to be broken.

Any of this viable at this juncture?

[1] https://github.com/tlswg/tls13-spec/issues/26
[2] https://www.ietf.org/mail-archive/web/tls/current/msg13264.html


Dave


[prev in list] [next in list] [prev in thread] [next in thread]