Re: [Cfrg] draft-irtf-cfrg-kdf-uses-00
Zooko Wilcox-O'Hearn <zooko@zooko.com> Tue, 02 March 2010 23:07 UTC
Return-Path: <zooko@zooko.com>
X-Original-To: cfrg@core3.amsl.com
Delivered-To: cfrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1D4863A8B6B for <cfrg@core3.amsl.com>; Tue, 2 Mar 2010 15:07:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.8
X-Spam-Level:
X-Spam-Status: No, score=-1.8 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SARE_SUB_RAND_LETTRS4=0.799]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 31PPZZH9JFmh for <cfrg@core3.amsl.com>; Tue, 2 Mar 2010 15:07:22 -0800 (PST)
Received: from postman.allmydata.com (postman.allmydata.com [207.7.153.130]) by core3.amsl.com (Postfix) with ESMTP id D61E63A8CD1 for <cfrg@irtf.org>; Tue, 2 Mar 2010 15:07:21 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by postman.allmydata.com (Postfix) with ESMTP id 89E9E2234639; Tue, 2 Mar 2010 15:07:22 -0800 (PST)
X-Virus-Scanned: Ubuntu amavisd-new at allmydata.com
Received: from postman.allmydata.com ([127.0.0.1]) by localhost (postman.allmydata.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DLCqvGG30Y+m; Tue, 2 Mar 2010 15:07:22 -0800 (PST)
Received: from [199.222.126.14] (unknown [199.222.126.14]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by postman.allmydata.com (Postfix) with ESMTPSA id 1A26F223430B; Tue, 2 Mar 2010 15:07:22 -0800 (PST)
In-Reply-To: <FE9E5030-975C-4400-B262-44C4A4A25095@cisco.com>
References: <20100227073250.4D9063A8642@core3.amsl.com> <FE9E5030-975C-4400-B262-44C4A4A25095@cisco.com>
Mime-Version: 1.0 (Apple Message framework v753.1)
Content-Type: text/plain; charset="WINDOWS-1252"; delsp="yes"; format="flowed"
Message-Id: <852EB5B8-9F4D-4ECC-8A24-82613C860BDB@zooko.com>
Content-Transfer-Encoding: quoted-printable
From: Zooko Wilcox-O'Hearn <zooko@zooko.com>
Date: Tue, 02 Mar 2010 15:06:47 -0800
To: David McGrew <mcgrew@cisco.com>
X-Mailer: Apple Mail (2.753.1)
Cc: Brian Weis <bew@cisco.com>, cfrg@irtf.org
Subject: Re: [Cfrg] draft-irtf-cfrg-kdf-uses-00
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2010 23:07:23 -0000
Folks: Just for your information, in the Tahoe-LAFS project we've decided not to use HKDF after all for our key-derivation needs. We do not need extraction, only expansion—all of the seeds (or "master keys") that we input to a KDF are unguessable, evenly distributed values of exactly the appropriate size. Therefore, we now intend to use a KDF which we think is simple, widely understood, efficient, and with a nice security reduction argument. Our proposed KDF is: let the resulting key be the first few bytes of the XSalsa20 keystream keyed by the master key. If this KDF is distinguishable from random then this immediately implies a significant weakness in XSalsa20 as a cipher. XSalsa20 exhibiting such a weakness would be very surprising. We can use test vectors from other people's XSalsa20 implementations to check the correctness of our KDF in our unit tests. Currently we are working on the next problem—which is out-of-scope of HKDF standardization—of how to securely, efficiently, and testably generate an integer of the appropriate range to use as the private exponent in elliptic curve DSA. You can see our notes about how to do that here: http://allmydata.org/trac/pycryptopp/ticket/2#comment:13 Thank you very much to everyone, especially Dave McGrew and Hugo Krawcyck for patiently answering my questions about HKDF. Regards, Zooko Wilcox-O'Hearn --- Your cloud storage provider does not need access to your data. Tahoe-LAFS -- http://allmydata.org
- [Cfrg] draft-irtf-cfrg-kdf-uses-00 David McGrew
- Re: [Cfrg] draft-irtf-cfrg-kdf-uses-00 Zooko Wilcox-O'Hearn
- Re: [Cfrg] draft-irtf-cfrg-kdf-uses-00 Robert Moskowitz
- Re: [Cfrg] draft-irtf-cfrg-kdf-uses-00 Dan Harkins
- Re: [Cfrg] draft-irtf-cfrg-kdf-uses-00 Robert Moskowitz
- Re: [Cfrg] draft-irtf-cfrg-kdf-uses-00 David McGrew
- Re: [Cfrg] draft-irtf-cfrg-kdf-uses-00 Dan Harkins