IETF Logo Mail Archive

KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]

David Wagner <daw@cs.berkeley.edu> Fri, 28 October 2005 22:04 UTC

Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVcKh-0001FZ-Is; Fri, 28 Oct 2005 18:04:19 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVcKe-0001FN-UY for cfrg@megatron.ietf.org; Fri, 28 Oct 2005 18:04:17 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA22368 for <cfrg@ietf.org>; Fri, 28 Oct 2005 18:04:00 -0400 (EDT)
Received: from taverner.cs.berkeley.edu ([128.32.168.222]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVcYI-0006dK-5y for cfrg@ietf.org; Fri, 28 Oct 2005 18:18:23 -0400
Received: from taverner.CS.Berkeley.EDU (localhost.localdomain [127.0.0.1]) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1) with ESMTP id j9SM43eJ013902 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 28 Oct 2005 15:04:03 -0700
Received: (from daw@localhost) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1/Submit) id j9SM43mw013898; Fri, 28 Oct 2005 15:04:03 -0700
From: David Wagner <daw@cs.berkeley.edu>
Message-Id: <200510282204.j9SM43mw013898@taverner.CS.Berkeley.EDU>
Subject: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
To: cfrg@ietf.org
Date: Fri, 28 Oct 2005 15:04:03 -0700
Secret-Bounce-Tag: 9a029cbee41caf2ca77a77efa3c13981
X-Mailer: ELM [version 2.5 PL6]
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 69a74e02bbee44ab4f8eafdbcedd94a1
Content-Transfer-Encoding: 7bit
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

Dan Bernstein writes:
>David Wagner writes:
>> The hash function also has to be independent of the adversary's choices.
>
>No, that sort of assumption is always wrong for public hash functions.

Exactly my point.  I'm saying the assumption is necessary for provable
security under the Leftover Hash Lemma; but as you say, the assumption
is false for public hash functions.  The obvious conclusion: public hash
functions are generally incompatible with provable security under the
Leftover Hash Lemma.  Is there some flaw in this reasoning?

>> If you pick and reveal the hash function first, and the adversary chooses
>> their values afterwards (and those values are processed with the hash
>> function you picked), all bets are off.  Did I get that right?
>
>If you're trying to say that the attacker can perhaps produce non-random
>behavior in the secret that he shares with you, that's true. In fact, he
>always knows the entire value! But this has no relevance to his attempts
>to determine the secret that you share with someone else.

That's not what I'm concerned about.  I'm not concerned about other
sessions; I'm concerned about the very session that the adversary is
participating in.  Read this:
  http://www1.ietf.org/mail-archive/web/cfrg/current/msg01095.html
That message gives scenarios where everything falls apart, because the
adversary can choose some inputs to the KDF that make the session key
*for this session* predictable.  (One quick example: if the KDF is used
to derive a MAC key that is used to authenticate the other party, then
spoofing may become possible.)

And no, it is not necessarily true that the adversary already knows
the entire value of the secret that is supposedly "shared".  There are
protocols where if both parties are honest, then both parties will know
the value of the shared secret -- but it is a security condition that
if one participant tries to spoof someone else's identity, then that
malicious participant does not learn the value of the "shared" secret.
The URL quoted above gives examples.

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email