On Wed, Jul 5, 2017 at 9:11 PM, Martin Thomson <martin.thom...@gmail.com>
wrote:
> We need the length field so that calling the function with different
> lengths results in different outputs. Not that anyone should be doing
> that, of course.
>
The reason for this is that an adversarial application might do so.
Say you have the secret in an HSM that has some sort of access control
capability
that doesn't let you exfiltrate keys. If the application can make a key
that is a prefix
of another key, then you can exhaustively search the keys by first
extracting a
one-byte key and searching that, etc. (IIRC Mike St Johns pointed out this
attack to me).
Now it's not a great an attack, but it is still sort of an attack.
-Ekr
> On 6 July 2017 at 14:06, Kazu Yamamoto <k...@iij.ad.jp> wrote:
> >>> HKDF-Expand-Label(Secret, Label, *Value*, Length) =
> >>> HKDF-Expand(Secret, HkdfLabel, Length)
> >>>
> >>> struct {
> >>> uint16 length = *Value.length*;
> >>> opaque label<7..255> = "tls13 " + Label;
> >>> opaque hash_value<0..255> = *Value*;
> >>> } HkdfLabel;
> >>
> >> Length is the size of the output, so you don't want to assign
> >> Value.length to that field in the struct.
> >
> > Yes. I would remove the "length" field, too.
> >
> >> Also, you forgot to rename hash_value in the struct.
> >
> > You are right.
> >
> > --Kazu
> >
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
