RE: [Cfrg] Fwd: Hash-Based Key Derivation
"Scott Fluhrer" <sfluhrer@cisco.com> Tue, 25 October 2005 17:49 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUSvZ-0007re-2j; Tue, 25 Oct 2005 13:49:37 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUSvX-0007rZ-0Q for cfrg@megatron.ietf.org; Tue, 25 Oct 2005 13:49:35 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA08644 for <cfrg@ietf.org>; Tue, 25 Oct 2005 13:49:20 -0400 (EDT)
Received: from sj-iport-3-in.cisco.com ([171.71.176.72] helo=sj-iport-3.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EUT8W-00048i-3E for cfrg@ietf.org; Tue, 25 Oct 2005 14:03:01 -0400
Received: from sj-core-1.cisco.com ([171.71.177.237]) by sj-iport-3.cisco.com with ESMTP; 25 Oct 2005 10:49:14 -0700
X-IronPort-AV: i="3.97,250,1125903600"; d="scan'208"; a="356517515:sNHT2142896942"
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id j9PHn3uj013207 for <cfrg@ietf.org>; Tue, 25 Oct 2005 10:49:13 -0700 (PDT)
Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 25 Oct 2005 10:49:11 -0700
Received: from sfluhrerhpc ([10.32.244.83]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 25 Oct 2005 10:49:10 -0700
From: Scott Fluhrer <sfluhrer@cisco.com>
To: 'David McGrew' <mcgrew@cisco.com>, cfrg@ietf.org
Subject: RE: [Cfrg] Fwd: Hash-Based Key Derivation
Date: Tue, 25 Oct 2005 10:49:13 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
In-reply-to: <17A05046-7CA3-48BA-870D-2ABF92F03B40@cisco.com>
Thread-Index: AcXZhatvBoCwKnK7Ti+h+5o4yMrLSgABbQKg
Message-ID: <XFE-SJC-212H71yEXUI000091d2@xfe-sjc-212.amer.cisco.com>
X-OriginalArrivalTime: 25 Oct 2005 17:49:11.0049 (UTC) FILETIME=[67D37F90:01C5D98C]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: d0bdc596f8dd1c226c458f0b4df27a88
Content-Transfer-Encoding: 7bit
Cc:
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org
> -----Original Message----- > From: cfrg-bounces@ietf.org [mailto:cfrg-bounces@ietf.org] On > Behalf Of David McGrew > Sent: Tuesday, October 25, 2005 9:56 AM > To: cfrg@ietf.org > Subject: [Cfrg] Fwd: Hash-Based Key Derivation > > FYI > > Begin forwarded message: > > > From: Russ Housley <housley@vigilsec.com> > > Date: October 25, 2005 9:44:42 AM PDT > > To: saag@mit.edu > > Subject: Hash-Based Key Derivation > > > > > > I wanted call your attention to an individual draft on > "Hash-Based Key > > Derivation." > > > > http://www.ietf.org/internet-drafts/draft-dang-nistkdf-00.txt > > > > This draft specifies a soon to be NIST-approved algorithm > for deriving > > secret key material from a shared secret using a hash > algorithm. This > > algorithm is in the NIST draft SP 800-56. > > > > I encourage review and comment. If you have concerns with this > > document, then the concerns probably apply to he NIST draft SP > > 800-56 document too. Well, one concern I have is that the strength of this hash derivation function depends on the difficulty of recovering a preimage of a hash function given a large set of hashes of related preimages. If the attacker can recover that, then he could recover the secret value (assuming he is able to somehow get his hands on a number of derived keying materials). This is a nonstandard assumption on hash functions, and one that to the best of my knowledge has never been analyzed. I would suggest instead is that they construct the hash derivation function out of a MAC (such as HMAC). That is, instead of doing setp 4.a: a. Compute Hash-i = H (counter || SV {|| algorithmID} || contextID {|| SharedInfo}). they instead do: a. Compute Mac-i = MAC(SV, counter {|| algorithmID} || contextID {|| SharedInfo}) (where the first parameter to the MAC is the key). By doing this, we are relying on the designed property of the MAC (which implies that you cannot recover the key even with a large number of MAC/Plaintext pairs). > > > > I am considering sponsoring this document as an > Informational RFC. > > Please let me know if you have any concerns with this > proposed action. > > > > Thanks, > > Russ > > _______________________________________________ > Cfrg mailing list > Cfrg@ietf.org > https://www1.ietf.org/mailman/listinfo/cfrg > _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David McGrew
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Scott Fluhrer
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Tom Shrimpton
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Blumenthal, Uri
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Scott Fluhrer
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Blumenthal, Uri
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Tom Shrimpton
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Paul Hoffman
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Tom Shrimpton
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation D. J. Bernstein
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Jack Lloyd
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David McGrew
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Jack Lloyd
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… David McGrew
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Jack Lloyd
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein