On Thu, Oct 08, 2015 at 12:04:51PM +0200, Eric Rescorla wrote: > > Well, TLS 1.3 doesn't have a PRF, but instead explicitly uses HKDF. > > With that said, I don't really understand the structure of your draft: > Instead of referencing the PRF and session_hash directly, why not instead > use RFC 5705 exporters and require the use of the session_hash extension? > Then TLS 1.3 can just define exporters for 1.3 and we'll be done.
TLS 1.3 is different since TLS 1.3 always behaves like session_hash was negotiated, whereas session_hash was a security fix for earlier versions. One idea for TLS-unique for TLS 1.3: Invoke TLS-EXPORTER with: label: "TLS 1.3 tls-unqiue" context: No context Length: 256 And define TLS-EXPORTER for TLS 1.3 as (this looks ugly, have some better way at handling both context and no context cases? In original RFC, those were different): tmp = HKDF-Extract(label, exporter_secret) output = HKDF-Expand(tmp, 0x01 | context, L) or (no context case) tmp = HKDF-Extract(label, exporter_secret) output = HKDF-Expand(tmp, <blank>, L) This is slightly different from other uses of HKDF. I don't mix in session hash since exporter_secret is already Secret Nonce. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
