IETF Logo Mail Archive

[Cfrg] KDF: Randomness extraction vs. key expansion

David Wagner <daw@cs.berkeley.edu> Fri, 28 October 2005 21:27 UTC

Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVblL-0001G9-2U; Fri, 28 Oct 2005 17:27:47 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVblJ-0001FI-MI for cfrg@megatron.ietf.org; Fri, 28 Oct 2005 17:27:45 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA20852 for <cfrg@ietf.org>; Fri, 28 Oct 2005 17:27:29 -0400 (EDT)
Received: from taverner.cs.berkeley.edu ([128.32.168.222]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVbyx-0005m3-IY for cfrg@ietf.org; Fri, 28 Oct 2005 17:41:52 -0400
Received: from taverner.CS.Berkeley.EDU (localhost.localdomain [127.0.0.1]) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1) with ESMTP id j9SLRX8n012707 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 28 Oct 2005 14:27:33 -0700
Received: (from daw@localhost) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1/Submit) id j9SLRXYs012703; Fri, 28 Oct 2005 14:27:33 -0700
From: David Wagner <daw@cs.berkeley.edu>
Message-Id: <200510282127.j9SLRXYs012703@taverner.CS.Berkeley.EDU>
Subject: [Cfrg] KDF: Randomness extraction vs. key expansion
To: cfrg@ietf.org
Date: Fri, 28 Oct 2005 14:27:33 -0700
Secret-Bounce-Tag: 9a029cbee41caf2ca77a77efa3c13981
X-Mailer: ELM [version 2.5 PL6]
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0bc60ec82efc80c84b8d02f4b0e4de22
Content-Transfer-Encoding: 7bit
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

Ran Canetti
>David Wagner writes:
>> But does it really work?  Can we safely use the nonces "as-is"?
>> What's got me worried is that one of the nonces could have been chosen
>> by an attacker.  See my previous email for some example scenarios where
>
>I'm talking about key exchange protocols where the nonces are
>authenticated (mac'ed) as part of the exchange (eg, IKE).
>In such protocols we know that the nocnes came from the real participants,
>and since we only care about the goodness of the key in case that the
>participants are following their protocol, we can assume they are random
>(in case, ofcourse, that the protocol instructs the nonces to be random).

Ahh, now I get it.  I guess you're talking about the case where nonces
are signed or MACed using pre-established static signing or MAC keys (not
ones derived from the same key exchange performed during this session).
So yeah, that makes sense.  Thanks!

This does make deterministic key extraction look more attractive, for
protocols that take this form...  Cute.



P.S. I'm still trying to convince myself that we definitely, absolutely
don't care about the goodness of the key, if one of the participants
is malicious.  That sounds quite plausible, though I haven't got an
airtight argument to myself yet.  Anyway, I'll take that on faith for
now -- I suspect I'm just being slow...

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email