[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [pkcs11] Groups - TLS 1.2 mechanisms uploaded
Hi Robert -
I don't have any big problems with the TLS derive mechanisms, but I do have a problem exposing the TLS1.2 PRF as a directly callable mechanism. In the the protocol, the PRF is used to both derive keys and to perform a MAC over the final data. The problem is that the PRF produces public data by default, which means that you can use the PRF to derive the key data - since both the keys and the MAC are derived from the TLS master key. I'd provided the fixes for this in conjunction with my C_DeriveKeys proposal. I've attached only the relevant section above. Basically, the TLS12MAC mechanism uses the TLS PRF as an internal function and doesn't allow you to specify arbitrary labels. By preventing the specification of arbitrary labels, you can prevent the release of the key material since that key material uses different labels to generate it. Lastly, I would prohibit the release of IV material to the CK_SSL_KEY_MAT_OUT structure (para 6 of 1.1.6) as you can cause the release of key material by simply shrinking the lengths of the keys requested for the first four slots - that causes the key material to leak into the IV space. Mike On 7/31/2013 8:41 PM, Robert Relyea wrote: Submitter's message |
Attachment:
pkcs11-tls-mac.docx
Description: application/vnd.openxmlformats-officedocument.wordprocessingml.document
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]