On Fri, Feb 24, 2017 at 11:47:32AM -0500, Hugo Krawczyk wrote:
> Martin,
> 
> Which of these two derivation schemes are you proposing?
> Are you assuming that all uses of the exporter_secret are known at the end
> of
> the handshake? If not, you still need to keep an exporter_secret beyond the
> handshake.
> 
> Master Secret
>       |
>       |
>       +-----> Derive-Secret(., "exporter master secret 1",
>       |                     ClientHello...Server Finished)
>       |                     = exporter_secret_1
>       |
>       +-----> Derive-Secret(., "exporter master secret 2",
>                             ClientHello...Server Finished)
>                             = exporter_secret_2
> 
> Or:
> 
> Master Secret
>       |
>       |
>       +-----> Derive-Secret(., "exporter master secret",
>                             ClientHello...Server Finished)
>                             = exporter_secret
>                                  |
>                                  +-----> Derive-Secret(., "exporter secret
> 1",
>                                  |                     what_exactly)
>                                  |                     = exporter_secret_1
>                                  |
>                                  |
>                                  +-----> Derive-Secret(., "exporter secret
> 2",
>                                                        what_exactly)
>                                                        = exporter_secret_2
> 
> 
> (I wrote "what exactly" since I am not sure what do you plan to include
> there.)

I interpretted it to be something like follows:

Master secret
 + Derive-Secret(label="exporter master secret", 
context=ClientHello...ServerFinished)
    + Derive-Secret(label=EXPORTER-FOO, context=<blank>)
      + Derive-Secret(label="exporter", context=<context#1>)
      + Derive-Secret(label="exporter", context=<context#2>)
    + Derive-Secret(label=EXPORTER-BAR, context=<blank>)
      + Derive-Secret(label="exporter", context=<context#1>)
      + Derive-Secret(label="exporter", context=<context#3>)


But I don't know how useful that would be, as it requires knowing all
labels one is going to use (or one needs to keep EMS around anyway).


-Ilari

_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls

Reply via email to