RE: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
Daniel Brown <DBrown@certicom.com> Thu, 27 October 2005 17:17 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVBN8-0008HT-Iz; Thu, 27 Oct 2005 13:17:02 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVBN5-0008HL-Kv for cfrg@megatron.ietf.org; Thu, 27 Oct 2005 13:17:00 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA16602 for <cfrg@ietf.org>; Thu, 27 Oct 2005 13:16:42 -0400 (EDT)
Received: from [216.183.86.37] (helo=mail.ca.certicom.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVBaS-0004LC-Kj for cfrg@ietf.org; Thu, 27 Oct 2005 13:30:51 -0400
Received: from spamfilter.certicom.com (localhost.localdomain [127.0.0.1]) by mail.ca.certicom.com (Postfix) with ESMTP id DC3A5101813D0; Thu, 27 Oct 2005 13:16:39 -0400 (EDT)
Received: from mail.ca.certicom.com ([127.0.0.1]) by spamfilter.certicom.com (storm [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 10646-76; Thu, 27 Oct 2005 13:16:38 -0400 (EDT)
Received: from certicom1.certicom.com (domino1.certicom.com [10.0.1.24]) by mail.ca.certicom.com (Postfix) with ESMTP id 527B3101813DA; Thu, 27 Oct 2005 13:16:38 -0400 (EDT)
In-Reply-To: <0a3001c5db06$b29e6960$0200a8c0@simon>
To: Simon Blake-Wilson <sblakewilson@bcisse.com>
Subject: RE: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 6.5.1 January 21, 2004
Message-ID: <OF0EFC981F.8A773E46-ON852570A7.005B9073-852570A7.005EF9BE@certicom.com>
From: Daniel Brown <DBrown@certicom.com>
Date: Thu, 27 Oct 2005 13:17:38 -0400
X-MIMETrack: Serialize by Router on Certicom1/Certicom(Release 6.5.4|March 27, 2005) at 10/27/2005 01:17:34 PM, Serialize complete at 10/27/2005 01:17:34 PM
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 6d95a152022472c7d6cdf886a0424dc6
Cc: cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0292917697=="
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org
Hi Simon, > > This seems like the best attempt at a definition that I've seen. My only > thought is whether an attacker should also get access to something like an > F(f(K),.)) oracle. For example in the case of an ephemeral-static DH > protocol where the recipient has a static public key g^x and the legimate > peer contributes an ephemeral public key g^y, an attacker may be able to > to at some point impersonate a legimate peer and send (g^y)^2 and > subsequently learn the session key computed by the recipient using > S=g^2xy. Allowing the attacker access to an F(f(K),.) oracle for any > f:S->S, f \neq 1 of the attacker choice somehow simulates this > possibility. (I suspect formalizing f and how the attacker specifies it > gets messy, but this does seem like a vaguely realistic required property > in some cases.) > That's an excellent point: KDFs need to resist manipulation of the secret input value, but the standard PRF notion doesn't seem to cover that. Of course, the existing PRF-based KDFs (e.g. in TLS) may easily resist manipulation of the secret input value, but it may not be right to credit that to some formal security arguments about PRFs. The existing PRG-based KDFs (e.g. HKDF from NIST and ANSI) may lack any formal security arguments whatsoever, but they probably also resist secret input value manipulation attacks. Since a PRG seems a simpler thing than a PRF, I wonder if simpler formal security definitions and arguments can be supplied for such a KDF (in a threat model limited to one use of the secret value, as typical for making a DH shared secret into a symmetric key). A KDF would need to be both a PRG and 1-way, perhaps more generally to not leak information, but surely there are some arguments around . So, from a security architecture point of view, it may make sense to use one tool for making a raw DH shared secret into a symmetric key and another different tool for making subsidiary secrets out of a master secret. The first tool needs to resist manipulation of the input secret but only has to worry about single use of the secret (or maybe double use :first for Alice and second for Bob?). The second tool does not need to resist manipulation of the master secret, but may be subject to a larger number of queries, so the existing PRF notion may be perfect. Yet another, third tool may be best suited for producing pseudorandomness from highly biased sources of min-entropy. But maybe it's not too ambitious to find one definition and one tool can cover all three tasks either.
_______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… David McGrew
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… David McGrew
- RE: KDF definition and goal [was: [Cfrg] Fwd: Has… Simon Blake-Wilson
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- [Cfrg] Re: Extractors/KDF definition and goal csjutla
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- RE: KDF definition and goal [was: [Cfrg] Fwd: Has… Simon Blake-Wilson
- RE: KDF definition and goal [was: [Cfrg] Fwd: Has… Daniel Brown
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… John Wilkinson
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… canetti