On Fri, May 8, 2020, at 17:08, Salz, Rich wrote: > It cites it, but doesn't include it in the 800-56 doc.
Maybe I'm confused too, but it sounds like it's included to me. The definition of the KDF includes: > The first (randomness-extraction) step uses either HMAC … If > HMAC-hash is used in the randomness- extraction step, then the same > HMAC-hash (i.e., using the same hash function, hash) shall be used as > the PRF in the key-expansion step This sounds like this would allow for HKDF as defined in RFC 5869 (which as far as I can tell is the same thing except with HMAC required in both steps instead of giving you the option of using AES-CMAC), unless I've misunderstood something (not being anywhere near an expert on this topic, this is quite possible — even likely). Afterwards, it cites 5869 in such a way that sounds like it's saying that it's a subset of the approved algorithm (although "a version" is vague and confusing): > [RFC 5869] specifies a version of the above extraction-then-expansion > key-derivation procedure using HMAC for both the extraction and > expansion steps. For an extensive discussion concerning the rationale > for the extract-and-expand mechanisms specified in this > Recommendation, see [LNCS 6223]. The last citation in that paragraph to LNCS 6223 appears to give a long justification for why HKDF is secure, which all together makes it sound like HKDF is an approved algorithm and thus TLS 1.3 will be okay. —Sam -- Sam Whited _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
