IETF Logo Mail Archive

RE: [Cfrg] Fwd: Hash-Based Key Derivation

"Simon Blake-Wilson" <sblakewilson@bcisse.com> Tue, 25 October 2005 18:24 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUTTX-0005ay-0O; Tue, 25 Oct 2005 14:24:43 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUTTV-0005at-Fh for cfrg@megatron.ietf.org; Tue, 25 Oct 2005 14:24:41 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA10686 for <cfrg@ietf.org>; Tue, 25 Oct 2005 14:24:27 -0400 (EDT)
Received: from 209-204-118-122.sniparpa.net ([209.204.118.122] helo=bcisse.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EUTgV-0005Bd-SJ for cfrg@ietf.org; Tue, 25 Oct 2005 14:38:08 -0400
Received: from simon (toronto-HSE-ppp4163423.sympatico.ca [70.51.154.49]) by bcisse.com; Tue, 25 Oct 2005 14:23:07 -0400
From: Simon Blake-Wilson <sblakewilson@bcisse.com>
To: cfrg@ietf.org
Subject: RE: [Cfrg] Fwd: Hash-Based Key Derivation
Date: Tue, 25 Oct 2005 14:23:05 -0400
Message-ID: <016b01c5d991$250f9270$0200a8c0@simon>
MIME-Version: 1.0
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.6626
In-Reply-To: <XFE-SJC-212H71yEXUI000091d2@xfe-sjc-212.amer.cisco.com>
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a92270ba83d7ead10c5001bb42ec3221
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1397742261=="
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

Is it really true that you can build a KDF like this based on standard
assumptions about a MAC?

To my mind, the key goal behind a KDF is to take an unpredictable value
(the shared secret)(ie. A value an attacker can't guess) and turn it into
a pseudorandom value (the session key)(ie a value an attacker can't
distinguish from a random value). MACs are by design secure only if the
key is pseudorandom, aren't they?

It's amazing to me that no formal theory of KDF design seems to have
emerged yet, despite many years of use in practice.

Best regards. Simon

> -----Original Message-----
> From: cfrg-bounces@ietf.org [mailto:cfrg-bounces@ietf.org] On 
> Behalf Of Scott Fluhrer
> Sent: Tuesday, October 25, 2005 1:49 PM
> To: 'David McGrew'; cfrg@ietf.org
> Subject: RE: [Cfrg] Fwd: Hash-Based Key Derivation
> 
> 
>  
> 
> > -----Original Message-----
> > From: cfrg-bounces@ietf.org [mailto:cfrg-bounces@ietf.org] On
> > Behalf Of David McGrew
> > Sent: Tuesday, October 25, 2005 9:56 AM
> > To: cfrg@ietf.org
> > Subject: [Cfrg] Fwd: Hash-Based Key Derivation
> > 
> > FYI
> > 
> > Begin forwarded message:
> > 
> > > From: Russ Housley <housley@vigilsec.com>
> > > Date: October 25, 2005 9:44:42 AM PDT
> > > To: saag@mit.edu
> > > Subject: Hash-Based Key Derivation
> > >
> > >
> > > I wanted call your attention to an individual draft on
> > "Hash-Based Key
> > > Derivation."
> > >
> > >       
> http://www.ietf.org/internet-drafts/draft-dang-nistkdf-00.txt
> > >
> > > This draft specifies a soon to be NIST-approved algorithm
> > for deriving
> > > secret key material from a shared secret using a hash
> > algorithm.  This
> > > algorithm is in the NIST draft SP 800-56.
> > >
> > > I encourage review and comment.  If you have concerns with this
> > > document, then the concerns probably apply to he NIST draft SP
> > > 800-56 document too.
> 
> Well, one concern I have is that the strength of this hash 
> derivation function depends on the difficulty of recovering a 
> preimage of a hash function given a large set of hashes of 
> related preimages.  If the attacker can recover that, then he 
> could recover the secret value (assuming he is able to 
> somehow get his hands on a number of derived keying 
> materials). This is a nonstandard assumption on hash 
> functions, and one that to the best of my knowledge has never 
> been analyzed.
> 
> I would suggest instead is that they construct the hash 
> derivation function out of a MAC (such as HMAC).  That is, 
> instead of doing setp 4.a:
> 
>         a. Compute Hash-i = H (counter || SV {|| algorithmID} || 
>           contextID {|| SharedInfo}). 
> 
> they instead do:
> 
>         a. Compute Mac-i = MAC(SV, counter {|| algorithmID} ||
>           contextID {|| SharedInfo})
> 
> (where the first parameter to the MAC is the key).  By doing 
> this, we are relying on the designed property of the MAC 
> (which implies that you cannot recover the key even with a 
> large number of MAC/Plaintext pairs).
> 
> > >
> > > I am considering sponsoring this document as an
> > Informational RFC.   
> > > Please let me know if you have any concerns with this
> > proposed action.
> > >
> > > Thanks,
> > >   Russ
> > 
> > _______________________________________________
> > Cfrg mailing list
> > Cfrg@ietf.org
> > https://www1.ietf.org/mailman/listinfo/cfrg
> > 
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@ietf.org
> https://www1.ietf.org/mailman/listinfo/cfrg
> 

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email