Re: [Cfrg] draft-irtf-cfrg-kdf-uses-00
Robert Moskowitz <rgm-sec@htt-consult.com> Wed, 24 March 2010 21:32 UTC
Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: cfrg@core3.amsl.com
Delivered-To: cfrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8C0D63A6B4C for <cfrg@core3.amsl.com>; Wed, 24 Mar 2010 14:32:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.63
X-Spam-Level:
X-Spam-Status: No, score=0.63 tagged_above=-999 required=5 tests=[AWL=1.300, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, SARE_SUB_RAND_LETTRS4=0.799]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JFi31xiWHxlo for <cfrg@core3.amsl.com>; Wed, 24 Mar 2010 14:32:14 -0700 (PDT)
Received: from klovia.htt-consult.com (klovia.htt-consult.com [208.83.67.149]) by core3.amsl.com (Postfix) with ESMTP id F025F3A684F for <cfrg@irtf.org>; Wed, 24 Mar 2010 14:32:13 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id 37D5968B75; Wed, 24 Mar 2010 21:27:56 +0000 (UTC)
X-Virus-Scanned: amavisd-new at localhost
Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fAF0UJnzlCki; Wed, 24 Mar 2010 17:27:46 -0400 (EDT)
Received: from nc2400.htt-consult.com (dhcp-wireless-open-abg-29-130.meeting.ietf.org [130.129.29.130]) (Authenticated sender: rgm-sec@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id 7065F68B40; Wed, 24 Mar 2010 17:27:40 -0400 (EDT)
Message-ID: <4BAA84D4.4070801@htt-consult.com>
Date: Wed, 24 Mar 2010 14:32:04 -0700
From: Robert Moskowitz <rgm-sec@htt-consult.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.8) Gecko/20100301 Fedora/3.0.3-1.fc12 Thunderbird/3.0.3
MIME-Version: 1.0
To: Dan Harkins <dharkins@lounge.org>
References: <20100227073250.4D9063A8642@core3.amsl.com> <FE9E5030-975C-4400-B262-44C4A4A25095@cisco.com> <4BA9712D.5030004@htt-consult.com> <90674964-388A-4BF8-92D2-F909AD74883E@cisco.com> <4BAA5D03.9060104@htt-consult.com> <e814847129947fb93ba452075165522d.squirrel@www.trepanning.net>
In-Reply-To: <e814847129947fb93ba452075165522d.squirrel@www.trepanning.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: David McGrew <mcgrew@cisco.com>, cfrg@irtf.org
Subject: Re: [Cfrg] draft-irtf-cfrg-kdf-uses-00
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Mar 2010 21:32:15 -0000
On 03/24/2010 01:15 PM, Dan Harkins wrote: > Hi Bob, > > I don't know what the protocol is but if you added a nonce exchange > to the DH exchange (and had appropriate assumptions on the randomness > of the nonces) then you could use the nonces as the key to the CMAC-based > KDF and the DH shared secret as (part of) the data that's MAC'd. > Good points. I need to think this through.... > regards, > > Dan. > > On Wed, March 24, 2010 11:42 am, Robert Moskowitz wrote: > >> David suggested I bring this discussion to the list. >> >> As I have mentioned previously on this list, I want a CMAC based KDF >> where the key was derived from a DH exchange. As you will see below, >> per this ID, CMAC can only be used as a KDF (and this is the case in its >> use in NIST 800-108) if the key is uniformly distributed (use case #3). >> >> So scan down to the important stuff.... >> >> On 03/24/2010 07:30 AM, David McGrew wrote: >> >>> Hi Robert, >>> >>> On Mar 23, 2010, at 6:55 PM, Robert Moskowitz wrote: >>> >>> >>>> Further questions... >>>> >>>> Does ECDH keys also fit in use case #2? >>>> >>> yes, this use case was meant to cover any public key algorithm whose >>> output is a value that is secret, but which is not a binary string >>> that is uniformly randomly distributed. >>> >>> >>>> Can you define a KDF for #2 that uses CMAC? It seems from your >>>> document that current there is not one. >>>> >>>> >>> Not if you want provable security. >>> >>> From http://people.csail.mit.edu/dodis/ps/hmac.ps: >>> >>> The Extraction Properties of CBC-MAC Mode. We show, in Section 3, that >>> if f is a random permutation over >>> {0, 1}^k and X is an input distribution with min-entropy of at least >>> 2k, then the statistical distance between F (X) (where F represents >>> the function f computed in CBC-MAC mode over L blocks) and the uniform >>> distribution on {0, 1}^k is L · 2^{−k/2}. >>> >>> In practice, using this proof of security would mean that public keys >>> providing 4*n bits of security would be needed in order to be provably >>> secure at the n-bit level. For ECC, this would mean we'd need to use >>> 1024-bit keys (four times 256 bits) in order to claim 128 bits of >>> security based on something "provable". So in short it seems that if >>> one demands "provable security", this is not a good way to go. >>> >> I ASSuME you mean used in an ECDH key agreement to get the non-uniformly >> distributed key? >> >> >>> There might be more recent results, but I'm not aware of any. It >>> would be useful to take this discussion to the list, if you don't >>> mind. "I want an AES-based KDF for use case #2" is a good topic for >>> discussion. >>> >> OK, I am trying to Grok this... >> >> Does CMAC have the same extraction properties as CBC-MAC? >> >> Someone mentioned that you should first run the DH output through a >> function that uniformly distributes the randomness, then feed it into >> CMAC. But what would that be if not a hash function? And it has to be >> tight enough code that it is a reasonable alternative. >> >> Is my only alternative for a 'light weight keying' to pitch DH and just >> deliver a random key encrypted with a public ECC key? Then I fit in >> case #3 and can use CMAC? Though an arguement can be made that you want >> to pitch DH as well when you strive for a real small code size and low >> CPU hit. >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> http://www.irtf.org/mailman/listinfo/cfrg >> >> > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg > >
- [Cfrg] draft-irtf-cfrg-kdf-uses-00 David McGrew
- Re: [Cfrg] draft-irtf-cfrg-kdf-uses-00 Zooko Wilcox-O'Hearn
- Re: [Cfrg] draft-irtf-cfrg-kdf-uses-00 Robert Moskowitz
- Re: [Cfrg] draft-irtf-cfrg-kdf-uses-00 Dan Harkins
- Re: [Cfrg] draft-irtf-cfrg-kdf-uses-00 Robert Moskowitz
- Re: [Cfrg] draft-irtf-cfrg-kdf-uses-00 David McGrew
- Re: [Cfrg] draft-irtf-cfrg-kdf-uses-00 Dan Harkins