On Mon, Apr 24, 2017 at 08:28:33AM -0700, Eric Rescorla wrote: > On Mon, Apr 24, 2017 at 8:24 AM, Ilari Liusvaara <ilariliusva...@welho.com> > wrote: > > > On Mon, Apr 24, 2017 at 05:56:58AM -0700, Eric Rescorla wrote: > > > https://github.com/tlswg/tls13-spec/issues/964 > > > > > > Here is a proposed set of new labels, which, while slightly less clear, > > all > > > fit > > > into the 18 byte limit which Ilari (and I agree) says is what we have.
Aargh, turns out that Merke-Damgård strengthening probably affects things... For SHA-256, MD strengthening consists of padding bit and 64-bit message bit count, for total of 65-512 bits of padding. Trying to construct the raw SHA-256 message words for inner hash with 9 byte label (K is key, L is label, H is hash). KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK 36363636 36363636 36363636 36363636 36363636 36363636 36363636 36363636 00201254 4C532031 2E332C20 LLLLLLLL LLLLLLLL LL20HHHH HHHHHHHH HHHHHHHH HHHHHHHH HHHHHHHH HHHHHHHH HHHHHHHH HHHHHHHH HHHH0180 00000000 000003B8 Adding 10th byte to label seems to blow the block (0x3C0=1*512+448): KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK KKKKKKKK 36363636 36363636 36363636 36363636 36363636 36363636 36363636 36363636 00201354 4C532031 2E332C20 LLLLLLLL LLLLLLLL LLLL20HH HHHHHHHH HHHHHHHH HHHHHHHH HHHHHHHH HHHHHHHH HHHHHHHH HHHHHHHH HHHHHH01 80000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 000003C0 For comparision, with SHA-384, the blocks for 9-byte label seem to be: KKKKKKKKKKKKKKKK KKKKKKKKKKKKKKKK KKKKKKKKKKKKKKKK KKKKKKKKKKKKKKKK KKKKKKKKKKKKKKKK KKKKKKKKKKKKKKKK 3636363636363636 3636363636363636 3636363636363636 3636363636363636 3636363636363636 3636363636363636 3636363636363636 3636363636363636 3636363636363636 3636363636363636 003012544C532031 2E332C20LLLLLLLL LLLLLLLLLL30HHHH HHHHHHHHHHHHHHHH HHHHHHHHHHHHHHHH HHHHHHHHHHHHHHHH HHHHHHHHHHHHHHHH HHHHHHHHHHHHHHHH HHHHHHHHHHHH0180 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000638 (Which has 327 hash block padding bits). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
