Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)

[Daniel Brown <DBrown@certicom.com>]

Hugo Krawcyzk wrote on 10/26/2005 07:09:01 PM:

> 
> One final comment about random oracles. Take the example of NIST's KDF.
> Note that the counter value comes before the SV value. Why?

The paper:

C. Adams, G. Kramer, S. Mister and R. Zuccherato, "On the Security of Key 
Derivation Functions",  Information Security - 7th International 
Conference, ISC 2004, Lecture Notes in Computer Science 3225 (2004), 
Springer-Verlag, pp. 134-145. 

provides some grounds that putting the counter after the SV in a such a 
KDF based on an iterated hash function like SHA-1 has some risks. 

Suppose that the SV was before the counter, the SV is the length of a 
input block of SHA-1, (i.e. 512 bits), SV has min-entropy at least 256 
bits, the KDF is used to generate some number of AES-256 keys.  If Eve 
obtains one of the AES keys, and it happens to contain a whole hash output 
block from the KDF, then she can determine all the other AES keys with 
only 2^160 work.  Eve just searches through all possible values of the 
first chaining variable, until she finds a match with her sample.  All 
other blocks have the same first value of the chaining variable, so she 
can then determine this too.  Although this amount of work is infeasible 
today (and for the foreseeable future), it is considerably below the 
objective security level for AES-256, so qualifies as an attack. 

Placing the counter before the SV seems to stop this particular attack.

The paper also provides an analysis of the IKE "KDF", and seems to draw a 
similar conclusion.

> I do not really know. Of course, if H is a random oracle then the
> order of counter and SV is immaterial (as long as it is kept fixed).
> But with an actual function such as SHA-1 it may make a difference.
> For example, Preneel and van Oorschot showed that if you are putting
> a key as part of a hash message then it is best not to put it across
> block boundaries. If this advise holds here then it might have been 
better
> to put SV before counter. Now, I have not tried to really analyze this.
> I am using this as an example showing that the idealization of H as a
> random oracle may be too much of an abstraction driving us to bad
> decisions.
> 
> To make this last (important) point even clearer, think of the
> design of a MAC. If SHA-1 is to be treated as a random oracle then
> MAC(K,msg)=SHA-1(K||msg) makes a "provably secure" MAC.  But as we
> know it is *completely insecure* due to extension attacks.  One can
> say: "well we know about extension attacks so we won't do that"
> (note that this is already an important realization that SHA-1 is
> NOT a random oracle -- even if the compresion function was purely 
random).
> So we'll try another construct: MAC(K,msg)=SHA-1(msg||K).
> How about this one?  Again, it is provable secure in the RO model.
> How secure is it in practice? Until a couple of years ago very secure.
> Now it is not secure anymore since it is vulnerable to collision attacks
> on SHA-1!  Again, too much confidence (or reliance) on the random oracle
> approach can easily lead us to bad (or at least sub-optimal) choices.
> 

I agree.  The RO model is great for ignoring the role of the hash function 
when analyzing a scheme with many ingredients, i.e. hash and DLog Group, 
but if the hash is the key ingredient, then a proof in the RO model says 
very little.

Dan Brown
(905) 501-3857
http://www.certicom.com

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg