On Fri, Feb 24, 2017 at 11:47:32AM -0500, Hugo Krawczyk wrote:
> Martin,
>
> Which of these two derivation schemes are you proposing?
> Are you assuming that all uses of the exporter_secret are known at the end
> of
> the handshake? If not, you still need to keep an exporter_secret beyond the
> handshake.
>
> Master Secret
> |
> |
> +-----> Derive-Secret(., "exporter master secret 1",
> | ClientHello...Server Finished)
> | = exporter_secret_1
> |
> +-----> Derive-Secret(., "exporter master secret 2",
> ClientHello...Server Finished)
> = exporter_secret_2
>
> Or:
>
> Master Secret
> |
> |
> +-----> Derive-Secret(., "exporter master secret",
> ClientHello...Server Finished)
> = exporter_secret
> |
> +-----> Derive-Secret(., "exporter secret
> 1",
> | what_exactly)
> | = exporter_secret_1
> |
> |
> +-----> Derive-Secret(., "exporter secret
> 2",
> what_exactly)
> = exporter_secret_2
>
>
> (I wrote "what exactly" since I am not sure what do you plan to include
> there.)
I interpretted it to be something like follows:
Master secret
+ Derive-Secret(label="exporter master secret",
context=ClientHello...ServerFinished)
+ Derive-Secret(label=EXPORTER-FOO, context=<blank>)
+ Derive-Secret(label="exporter", context=<context#1>)
+ Derive-Secret(label="exporter", context=<context#2>)
+ Derive-Secret(label=EXPORTER-BAR, context=<blank>)
+ Derive-Secret(label="exporter", context=<context#1>)
+ Derive-Secret(label="exporter", context=<context#3>)
But I don't know how useful that would be, as it requires knowing all
labels one is going to use (or one needs to keep EMS around anyway).
-Ilari
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
