IETF Logo Mail Archive

RE: [Cfrg] Fwd: Hash-Based Key Derivation

"Scott Fluhrer" <sfluhrer@cisco.com> Tue, 25 October 2005 17:49 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUSvZ-0007re-2j; Tue, 25 Oct 2005 13:49:37 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUSvX-0007rZ-0Q for cfrg@megatron.ietf.org; Tue, 25 Oct 2005 13:49:35 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA08644 for <cfrg@ietf.org>; Tue, 25 Oct 2005 13:49:20 -0400 (EDT)
Received: from sj-iport-3-in.cisco.com ([171.71.176.72] helo=sj-iport-3.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EUT8W-00048i-3E for cfrg@ietf.org; Tue, 25 Oct 2005 14:03:01 -0400
Received: from sj-core-1.cisco.com ([171.71.177.237]) by sj-iport-3.cisco.com with ESMTP; 25 Oct 2005 10:49:14 -0700
X-IronPort-AV: i="3.97,250,1125903600"; d="scan'208"; a="356517515:sNHT2142896942"
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id j9PHn3uj013207 for <cfrg@ietf.org>; Tue, 25 Oct 2005 10:49:13 -0700 (PDT)
Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 25 Oct 2005 10:49:11 -0700
Received: from sfluhrerhpc ([10.32.244.83]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 25 Oct 2005 10:49:10 -0700
From: Scott Fluhrer <sfluhrer@cisco.com>
To: 'David McGrew' <mcgrew@cisco.com>, cfrg@ietf.org
Subject: RE: [Cfrg] Fwd: Hash-Based Key Derivation
Date: Tue, 25 Oct 2005 10:49:13 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
In-reply-to: <17A05046-7CA3-48BA-870D-2ABF92F03B40@cisco.com>
Thread-Index: AcXZhatvBoCwKnK7Ti+h+5o4yMrLSgABbQKg
Message-ID: <XFE-SJC-212H71yEXUI000091d2@xfe-sjc-212.amer.cisco.com>
X-OriginalArrivalTime: 25 Oct 2005 17:49:11.0049 (UTC) FILETIME=[67D37F90:01C5D98C]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: d0bdc596f8dd1c226c458f0b4df27a88
Content-Transfer-Encoding: 7bit
Cc:
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

 

> -----Original Message-----
> From: cfrg-bounces@ietf.org [mailto:cfrg-bounces@ietf.org] On 
> Behalf Of David McGrew
> Sent: Tuesday, October 25, 2005 9:56 AM
> To: cfrg@ietf.org
> Subject: [Cfrg] Fwd: Hash-Based Key Derivation
> 
> FYI
> 
> Begin forwarded message:
> 
> > From: Russ Housley <housley@vigilsec.com>
> > Date: October 25, 2005 9:44:42 AM PDT
> > To: saag@mit.edu
> > Subject: Hash-Based Key Derivation
> >
> >
> > I wanted call your attention to an individual draft on 
> "Hash-Based Key 
> > Derivation."
> >
> >       http://www.ietf.org/internet-drafts/draft-dang-nistkdf-00.txt
> >
> > This draft specifies a soon to be NIST-approved algorithm 
> for deriving 
> > secret key material from a shared secret using a hash 
> algorithm.  This 
> > algorithm is in the NIST draft SP 800-56.
> >
> > I encourage review and comment.  If you have concerns with this 
> > document, then the concerns probably apply to he NIST draft SP
> > 800-56 document too.

Well, one concern I have is that the strength of this hash derivation
function depends on the difficulty of recovering a preimage of a hash
function given a large set of hashes of related preimages.  If the attacker
can recover that, then he could recover the secret value (assuming he is
able to somehow get his hands on a number of derived keying materials).
This is a nonstandard assumption on hash functions, and one that to the best
of my knowledge has never been analyzed.

I would suggest instead is that they construct the hash derivation function
out of a MAC (such as HMAC).  That is, instead of doing setp 4.a:

        a. Compute Hash-i = H (counter || SV {|| algorithmID} || 
          contextID {|| SharedInfo}). 

they instead do:

        a. Compute Mac-i = MAC(SV, counter {|| algorithmID} ||
          contextID {|| SharedInfo})

(where the first parameter to the MAC is the key).  By doing this, we are
relying on the designed property of the MAC (which implies that you cannot
recover the key even with a large number of MAC/Plaintext pairs).

> >
> > I am considering sponsoring this document as an 
> Informational RFC.   
> > Please let me know if you have any concerns with this 
> proposed action.
> >
> > Thanks,
> >   Russ
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@ietf.org
> https://www1.ietf.org/mailman/listinfo/cfrg
> 

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email