IETF Logo Mail Archive

KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]

David Wagner <daw@cs.berkeley.edu> Thu, 27 October 2005 17:57 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVC01-00058K-4w; Thu, 27 Oct 2005 13:57:13 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVBzz-00057s-Er for cfrg@megatron.ietf.org; Thu, 27 Oct 2005 13:57:11 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA18779 for <cfrg@ietf.org>; Thu, 27 Oct 2005 13:56:54 -0400 (EDT)
Received: from taverner.cs.berkeley.edu ([128.32.168.222]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVCDN-0005bL-Dd for cfrg@ietf.org; Thu, 27 Oct 2005 14:11:03 -0400
Received: from taverner.CS.Berkeley.EDU (localhost.localdomain [127.0.0.1]) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1) with ESMTP id j9RHuwIR031744 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 27 Oct 2005 10:56:58 -0700
Received: (from daw@localhost) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1/Submit) id j9RHuwmk031740; Thu, 27 Oct 2005 10:56:58 -0700
From: David Wagner <daw@cs.berkeley.edu>
Message-Id: <200510271756.j9RHuwmk031740@taverner.CS.Berkeley.EDU>
Subject: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
To: cfrg@ietf.org
Date: Thu, 27 Oct 2005 10:56:58 -0700
Secret-Bounce-Tag: 9a029cbee41caf2ca77a77efa3c13981
X-Mailer: ELM [version 2.5 PL6]
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7655788c23eb79e336f5f8ba8bce7906
Content-Transfer-Encoding: 7bit
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

Simon Blake-Wilson writes:
>[...] an attacker should also get access to something like an
>F(f(K),.)) oracle. For example in the case of an ephemeral-static DH
>protocol where the recipient has a static public key g^x and the legimate
>peer contributes an ephemeral public key g^y, an attacker may be able to
>to at some point impersonate a legimate peer and send (g^y)^2 and
>subsequently learn the session key computed by the recipient using
>S=g^2xy. Allowing the attacker access to an F(f(K),.) oracle for any
>f:S->S, f \neq 1 of the attacker choice somehow simulates this
>possibility.

That's an excellent point, and it pretty much sinks my proposed
definition.  Thank you.  I'm afraid I don't know how to model this in
a clean way in the definition, so I have to take back my assertion that
defining a secure KDF is easy.

By the way, there is a very tricky issue here.  If we allow the attacker
to specify a truly arbitrary function f:S->S, then there is no hope
for security, because there are generic attacks that will work against
any KDF.  (For instance, taking f1(K) = x&1, f2(K) = x&3, f3(K) = x&7,
etc. lets me learn K in linear time.)  This is similar to the issue
with security against related-key attacks, and that also gets into some
definitional briar patches.

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email