Eric Rescorla <e...@rtfm.com> wrote: > Sorry, I'm still confused TLS 1.2 uses a specific PRF. TLS 1.3 uses HKDF. > Are you suggesting TLS 1.2 use the TLS 1.2 PRF with SHA-512 and that > TLS 1.2 use SHA-512 with HKDF, or something different? >
I mean that TLS 1.2 should use SHA-512 with the TLS 1.2 PRF and that TLS 1.3 should use SHA-512 with HKDF. > Nobody should pay attention to what the MTI cipher suite for TLS 1.2 is, >> because it's obsolete; in fact, one would be making a huge mistake to >> deploy it now if one's application didn't have legacy backward >> compatibility concerns. And, we should change the MTI cipher suite for TLS >> 1.3 to the ChaCha20-Poly1305 ones, because they solve a lot of problems. >> For example, they remove any question of any need to implement rekeying, >> they avoid the weird IV construction hacks that are necessary for 128-bit >> cipher suites like AES-GCM, and they can be implemented efficiently in a >> safe way, unlike AES-GCM. >> > > This seems like a separate question. > You are the one that brought the MTI stuff into this, not me. > SHA-256-using cipher suites are widely deployed and not going away any > time soon, so what resource are you trying to conserve here? > I'm trying to minimize the number of algorithms (amount of code) necessary to implement ChaCha20-Poly1305 using x25519 for key agreement and Ed25519 for signatures. The different between needing or not needing SHA-256 matters most for very small computers (AVR and Cortex-M0), but doesn't really matter much for larger computers where SHA-256 has an advantage. In particular, since there seems to be a notable amount of hardware that is or will soon be released that optimized for ChaCha20-Poly1305+x25519+Ed25519, because of Apple HomeKit, it would be nice to take advantage of that for TLS. Besides that, the inconsistency regarding why these new 256-bit-encryption-key cipher suites are currently defined to use SHA-256 in the PRF whereas all the existing 256-bit-encryption-key cipher suites use SHA-384 seems strange. Even if an application wants to use AES-GCM cipher suites, it would be able to avoid needing SHA-256 if it implemented the AES256-GCM cipher suites instead of AES128-GCM. Cheers, Brian -- https://briansmith.org/
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
