[Cfrg] KDF: Randomness extraction vs. key expansion
David Wagner <daw@cs.berkeley.edu> Fri, 28 October 2005 21:27 UTC
Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVblL-0001G9-2U; Fri, 28 Oct 2005 17:27:47 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVblJ-0001FI-MI for cfrg@megatron.ietf.org; Fri, 28 Oct 2005 17:27:45 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA20852 for <cfrg@ietf.org>; Fri, 28 Oct 2005 17:27:29 -0400 (EDT)
Received: from taverner.cs.berkeley.edu ([128.32.168.222]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVbyx-0005m3-IY for cfrg@ietf.org; Fri, 28 Oct 2005 17:41:52 -0400
Received: from taverner.CS.Berkeley.EDU (localhost.localdomain [127.0.0.1]) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1) with ESMTP id j9SLRX8n012707 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 28 Oct 2005 14:27:33 -0700
Received: (from daw@localhost) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1/Submit) id j9SLRXYs012703; Fri, 28 Oct 2005 14:27:33 -0700
From: David Wagner <daw@cs.berkeley.edu>
Message-Id: <200510282127.j9SLRXYs012703@taverner.CS.Berkeley.EDU>
Subject: [Cfrg] KDF: Randomness extraction vs. key expansion
To: cfrg@ietf.org
Date: Fri, 28 Oct 2005 14:27:33 -0700
Secret-Bounce-Tag: 9a029cbee41caf2ca77a77efa3c13981
X-Mailer: ELM [version 2.5 PL6]
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0bc60ec82efc80c84b8d02f4b0e4de22
Content-Transfer-Encoding: 7bit
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org
Ran Canetti >David Wagner writes: >> But does it really work? Can we safely use the nonces "as-is"? >> What's got me worried is that one of the nonces could have been chosen >> by an attacker. See my previous email for some example scenarios where > >I'm talking about key exchange protocols where the nonces are >authenticated (mac'ed) as part of the exchange (eg, IKE). >In such protocols we know that the nocnes came from the real participants, >and since we only care about the goodness of the key in case that the >participants are following their protocol, we can assume they are random >(in case, ofcourse, that the protocol instructs the nonces to be random). Ahh, now I get it. I guess you're talking about the case where nonces are signed or MACed using pre-established static signing or MAC keys (not ones derived from the same key exchange performed during this session). So yeah, that makes sense. Thanks! This does make deterministic key extraction look more attractive, for protocols that take this form... Cute. P.S. I'm still trying to convince myself that we definitely, absolutely don't care about the goodness of the key, if one of the participants is malicious. That sounds quite plausible, though I haven't got an airtight argument to myself yet. Anyway, I'll take that on faith for now -- I suspect I'm just being slow... _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] KDF: Randomness extraction vs. key expansi… canetti
- [Cfrg] KDF: Randomness extraction vs. key expansi… David Wagner
- [Cfrg] On using ROs for analyzing randomness extr… canetti
- [Cfrg] Re: [saag] KDF: Randomness extraction vs. … Bill Sommerfeld
- Re: [Cfrg] KDF: Randomness extraction vs. key exp… canetti
- [Cfrg] KDF: Randomness extraction vs. key expansi… David Wagner
- [Cfrg] Re: [saag] KDF: Randomness extraction vs. … canetti
- [Cfrg] Re: [saag] KDF: Randomness extraction vs. … Nicolas Williams
- Re: [Cfrg] KDF: Randomness extraction vs. key exp… D. J. Bernstein
- Re: [saag] Re: [Cfrg] KDF: Randomness extraction … canetti
- Re: [saag] Re: [Cfrg] KDF: Randomness extraction … D. J. Bernstein
- Re: [saag] Re: [Cfrg] KDF: Randomness extraction … canetti