Re: [Cfrg] CMAC for extraction
Robert Moskowitz <rgm-sec@htt-consult.com> Wed, 14 July 2010 03:05 UTC
Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: cfrg@core3.amsl.com
Delivered-To: cfrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7F2C43A68BE for <cfrg@core3.amsl.com>; Tue, 13 Jul 2010 20:05:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.398
X-Spam-Level:
X-Spam-Status: No, score=-1.398 tagged_above=-999 required=5 tests=[AWL=1.200, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EoqsPANFL1Aq for <cfrg@core3.amsl.com>; Tue, 13 Jul 2010 20:05:14 -0700 (PDT)
Received: from klovia.htt-consult.com (klovia.htt-consult.com [208.83.67.149]) by core3.amsl.com (Postfix) with ESMTP id 834583A67AE for <cfrg@irtf.org>; Tue, 13 Jul 2010 20:05:11 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id 24E2068B52; Wed, 14 Jul 2010 02:56:48 +0000 (UTC)
Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0-mQYb3T-DDn; Tue, 13 Jul 2010 22:56:37 -0400 (EDT)
Received: from nc2400.htt-consult.com (unknown [12.2.200.10]) (Authenticated sender: rgm-sec@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id EB7C368B48; Tue, 13 Jul 2010 22:56:36 -0400 (EDT)
Message-ID: <4C3D2962.7010609@htt-consult.com>
Date: Tue, 13 Jul 2010 20:05:06 -0700
From: Robert Moskowitz <rgm-sec@htt-consult.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100430 Fedora/3.0.4-2.fc12 Thunderbird/3.0.4
MIME-Version: 1.0
To: Hugo Krawczyk <hugo@ee.technion.ac.il>
References: <AANLkTimQs4s69bM2okrETKQUIf9r33wu7wEeMR8WK265@mail.gmail.com>
In-Reply-To: <AANLkTimQs4s69bM2okrETKQUIf9r33wu7wEeMR8WK265@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------090502090309000308070709"
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] CMAC for extraction
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jul 2010 03:05:16 -0000
Oh, and this is the sort of analysis that somehow has to be captured for future reference when some where along the line some other person asks this again. On 07/13/2010 06:50 PM, Hugo Krawczyk wrote: > Bob, I cannot give an assessment of protocols or standards that I am not > familiar with, and IEEE 802.15.6 is one of them. So let me give you a > generic > answer to your question (quoted at the end of this message) that does not > take into account the specifics of IEEE 802.15.6 but only the question > of how > to use a block cipher in CMAC mode to process a DH key (the details of > IEEE 802.15.6 may or may not interfere with this advise). > > There are two obvious problems with inputting the DH key directly as > CMAC key: > (1) the DH key is likely to be of a different size than the CMAC key, > (2) the DH key is not a uniformly distributed string (but rather a > uniformly > distributed element in some algebraic group -- more precisely, > assuming the > Decisional Diffie-Hellman assumption, the distribution of DH keys is > computationally indistinguishable from the uniform distribution on the DH > group). > > A trivial way to resolve the first issue (assuming the DH key is > longer than the > CMAC one) is to truncate the DH key to the number of CMAC key bits. > There are > theoretical reasons (though not necessarily an attack) NOT to do so > (e.g., since > the DH key is not a uniform string of bits, a subset of it may not be > uniform > either). A better way would be to apply an extractor to the DH key and > use the output > as the CMAC key (much as in the HKDF design). Since you do not want to > use a > hash function then you need to do the extraction using the block > cipher itself. > I only know of one work that analyzes such a scheme and it is the > Dodis-Gennaro-Hastad-Krawczyk-Rabin paper from Crypto'04. There we > show that if > the block cipher acts as a family of random permutations then you can > use CMAC > with that block cipher as an extractor. The security bounds guaranteed > by that > analysis are not great (and the random permutation assumption is an > idealized > one), yet it is the best analysis we have for such a beast. > > NOTE: Our revised analysis of the CBC case replaces the expression e(L,K) > in the proceedings version of the paper with L^4/K^2 which is worse > than the > original bound but of little consequence in the application below > where L is a > very small number (i.e., L= the number of blocks in the representation > of DHK, > where the length of a block is determined by the underlying block cipher). > The available version of the paper (with the old bound) is > http://cs.nyu.edu/~dodis/ps/hmac.ps > <http://cs.nyu.edu/%7Edodis/ps/hmac.ps>. > > If you want to buy that analysis as an indication of security then I > can suggest > the following. Let DHK be the DH key that is output by your protocol > and let CK > be the CMAC key that you want to generate. > > (a) Assuming that you are running an authenticated Diffie-Hellman protocol > between the parties to generate the DH key DHK, add to the protocol the > generation of a nonce that is exchanged and AUTHENTICATED by the parties. > This nonce, call it N, is to be of the length of the CMAC key (and it > should be > independent of the DH key DHK). > > (b) Apply CMAC with N as the key and DHK as the input (i.e., DHK acts > as the > message, or plaintext, for the CMAC function and N acts as the key). > > (c) Use the value output by (b) as the key CK (this assumes that the > output > length from CMAC is the same as the length of a CMAC key -- this is > the case > for AES-128 but not for AES-256). > > IMPORTANT: If your protocol cannot exchange a nonce, or can exchange > it but > cannot authenticate it (in which case the nonce can be chosen by an > attacker) > then replace N with a fixed value that is defined and wired it into > the protocol > as a constant. Choose N to be any "random" string of the length of a > CMAC key. > (I prefer to use a random-looking N rather than something like > all-zero string > in case that such a structured key may turn to be a "weak key" of the > underlying > cipher). > > Hugo > > > Hugo, > > > > In the proposed IEEE 802.15.6 standard, an ECDH derived key is > expanded via CMAC > > to produce the actual keying material. No cryptographic hash is > used in this > > protocol. > > > > This seems to go contrary to the recommendation in > > http://www.ietf.org/id/draft-irtf-cfrg-kdf-uses-00.txt that DH > derived keys are > > NOT uniformly distributed and MUST be passed through an extract > phase (eg as in > > HKDF). > > > > Can you please point me to a reference to the nature of the attack > in this > > usage. This method will end up in medical devices like Insulin pumps, > > Pacemakers, etc and I am looking for hard references to get the > authors to make > > needed changes. > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] CMAC for extraction Hugo Krawczyk
- Re: [Cfrg] CMAC for extraction Robert Moskowitz
- Re: [Cfrg] CMAC for extraction Robert Moskowitz