IETF Logo Mail Archive

Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)

John Wilkinson <wilkjohn@gmail.com> Sun, 30 October 2005 12:21 UTC

Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EWCBj-0004ii-Tn; Sun, 30 Oct 2005 07:21:27 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EWCBi-0004id-Co for cfrg@megatron.ietf.org; Sun, 30 Oct 2005 07:21:26 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA02013 for <cfrg@ietf.org>; Sun, 30 Oct 2005 07:21:08 -0500 (EST)
Received: from wproxy.gmail.com ([64.233.184.192]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EWCPg-00020Q-2C for cfrg@ietf.org; Sun, 30 Oct 2005 07:35:53 -0500
Received: by wproxy.gmail.com with SMTP id i21so357761wra for <cfrg@ietf.org>; Sun, 30 Oct 2005 04:21:24 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:mime-version:in-reply-to:references:content-type:message-id:content-transfer-encoding:from:subject:date:to:x-mailer; b=a6wgZm2hsPf2DIHZ5GKxS0eR2AKTmdWrbRwZjTXg6stolXlyj3TzAP8t/WcKp8Ue6VglG4KPYjauexY1e8cvqYqxrUMP34g846pQkUIkLXqyRwH8ayt+xDgfrzHveCv6yrBJskuR0/01C7Qqc1eVy2olAvK2lgYEqEqpc57eQa8=
Received: by 10.64.180.15 with SMTP id c15mr705813qbf; Sun, 30 Oct 2005 04:21:24 -0800 (PST)
Received: from ?10.0.1.2? ( [141.154.76.225]) by mx.gmail.com with ESMTP id f15sm1089972qba.2005.10.30.04.21.23; Sun, 30 Oct 2005 04:21:23 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v734)
In-Reply-To: <200510300542.j9U5gbRn023523@taverner.CS.Berkeley.EDU>
References: <200510300542.j9U5gbRn023523@taverner.CS.Berkeley.EDU>
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <0C6D3012-1C18-4F50-9272-FCD3BEAADC4D@gmail.com>
Content-Transfer-Encoding: 7bit
From: John Wilkinson <wilkjohn@gmail.com>
Subject: Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
Date: Sun, 30 Oct 2005 07:21:26 -0500
To: cfrg@ietf.org
X-Mailer: Apple Mail (2.734)
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 7655788c23eb79e336f5f8ba8bce7906
Content-Transfer-Encoding: 7bit
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

On Oct 30, 2005, at 1:42 AM, David Wagner wrote:
> I think the NIST KDF is sub-optimal, and could be improved.

I have never implemented a KDF similar to NIST's proposal; I have  
always used (without really thinking about why) a "pre-hash" of the  
shared secret value H(SV) as the key input to a PRF.

Since I tend to be conservative, I would probably be more inclined to  
use the HKDF proposal if it were like the (already suggested)  
construction:

H_i = HMAC( H(SV), i || contextID )

I thought that some were objecting to this construction on  
implementation difficulty or efficiency grounds, and since I couldn't  
really see anything quantifiably *wrong* with the NIST proposal, I  
suggested leaving the NIST proposal as is. If, however, everyone is  
happy with the above "pre-hash and HMAC" construction, it would  
certainly get my vote.

-John


_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email