IETF Logo Mail Archive

RE: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]

Daniel Brown <DBrown@certicom.com> Thu, 27 October 2005 17:17 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVBN8-0008HT-Iz; Thu, 27 Oct 2005 13:17:02 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVBN5-0008HL-Kv for cfrg@megatron.ietf.org; Thu, 27 Oct 2005 13:17:00 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA16602 for <cfrg@ietf.org>; Thu, 27 Oct 2005 13:16:42 -0400 (EDT)
Received: from [216.183.86.37] (helo=mail.ca.certicom.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVBaS-0004LC-Kj for cfrg@ietf.org; Thu, 27 Oct 2005 13:30:51 -0400
Received: from spamfilter.certicom.com (localhost.localdomain [127.0.0.1]) by mail.ca.certicom.com (Postfix) with ESMTP id DC3A5101813D0; Thu, 27 Oct 2005 13:16:39 -0400 (EDT)
Received: from mail.ca.certicom.com ([127.0.0.1]) by spamfilter.certicom.com (storm [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 10646-76; Thu, 27 Oct 2005 13:16:38 -0400 (EDT)
Received: from certicom1.certicom.com (domino1.certicom.com [10.0.1.24]) by mail.ca.certicom.com (Postfix) with ESMTP id 527B3101813DA; Thu, 27 Oct 2005 13:16:38 -0400 (EDT)
In-Reply-To: <0a3001c5db06$b29e6960$0200a8c0@simon>
To: Simon Blake-Wilson <sblakewilson@bcisse.com>
Subject: RE: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 6.5.1 January 21, 2004
Message-ID: <OF0EFC981F.8A773E46-ON852570A7.005B9073-852570A7.005EF9BE@certicom.com>
From: Daniel Brown <DBrown@certicom.com>
Date: Thu, 27 Oct 2005 13:17:38 -0400
X-MIMETrack: Serialize by Router on Certicom1/Certicom(Release 6.5.4|March 27, 2005) at 10/27/2005 01:17:34 PM, Serialize complete at 10/27/2005 01:17:34 PM
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 6d95a152022472c7d6cdf886a0424dc6
Cc: cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0292917697=="
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

Hi Simon, 

> 
> This seems like the best attempt at a definition that I've seen. My only
> thought is whether an attacker should also get access to something like 
an
> F(f(K),.)) oracle. For example in the case of an ephemeral-static DH
> protocol where the recipient has a static public key g^x and the 
legimate
> peer contributes an ephemeral public key g^y, an attacker may be able to
> to at some point impersonate a legimate peer and send (g^y)^2 and
> subsequently learn the session key computed by the recipient using
> S=g^2xy. Allowing the attacker access to an F(f(K),.) oracle for any
> f:S->S, f \neq 1 of the attacker choice somehow simulates this
> possibility. (I suspect formalizing f and how the attacker specifies it
> gets messy, but this does seem like a vaguely realistic required 
property
> in some cases.)
> 

That's an excellent point: KDFs need to resist manipulation of the secret 
input value, but the standard PRF notion doesn't seem to cover that.  Of 
course, the existing PRF-based KDFs (e.g. in TLS) may easily resist 
manipulation of the secret input value, but it may not be right to credit 
that to some formal security arguments about PRFs.

The existing PRG-based KDFs (e.g. HKDF from NIST and ANSI) may lack any 
formal security arguments whatsoever, but they probably also resist secret 
input value manipulation attacks.  Since a PRG seems a simpler thing than 
a PRF, I wonder if simpler formal security definitions and arguments can 
be supplied for such a KDF (in a threat model limited to one use of the 
secret value, as typical for making a DH shared secret into a symmetric 
key).  A KDF would need to be both a PRG and 1-way, perhaps more generally 
to not leak information, but surely there are some arguments around .

So, from a security architecture point of view, it may make sense to use 
one tool for making a raw DH shared secret into a symmetric key and 
another different tool for making subsidiary secrets out of a master 
secret.  The first tool needs to resist manipulation of the input secret 
but only has to worry about single use of the secret (or maybe double use 
:first for Alice and second for Bob?).  The second tool does not need to 
resist manipulation of the master secret, but may be subject to a larger 
number of queries, so the existing PRF notion may be perfect.

Yet another, third tool may be best suited for producing pseudorandomness 
from highly biased sources of min-entropy.  But maybe it's not too 
ambitious to find one definition and one tool can cover all three tasks 
either.
_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email