Re: [Cfrg] draft-irtf-cfrg-kdf-uses-00
David McGrew <mcgrew@cisco.com> Fri, 09 April 2010 21:37 UTC
Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@core3.amsl.com
Delivered-To: cfrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BE1993A6900 for <cfrg@core3.amsl.com>; Fri, 9 Apr 2010 14:37:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.311
X-Spam-Level:
X-Spam-Status: No, score=-8.311 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, RCVD_IN_DNSWL_HI=-8, SARE_SUB_RAND_LETTRS4=0.799]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gywZjibZWGWJ for <cfrg@core3.amsl.com>; Fri, 9 Apr 2010 14:37:51 -0700 (PDT)
Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id 97F723A69EF for <cfrg@irtf.org>; Fri, 9 Apr 2010 14:37:51 -0700 (PDT)
Authentication-Results: sj-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEANo6v0urRN+J/2dsb2JhbACbP3GiHZkbhQkEgyQ
X-IronPort-AV: E=Sophos;i="4.52,179,1270425600"; d="scan'208";a="315967579"
Received: from sj-core-3.cisco.com ([171.68.223.137]) by sj-iport-1.cisco.com with ESMTP; 09 Apr 2010 21:37:47 +0000
Received: from stealth-10-32-254-213.cisco.com (stealth-10-32-254-213.cisco.com [10.32.254.213]) by sj-core-3.cisco.com (8.13.8/8.14.3) with ESMTP id o39Lbi1w017860; Fri, 9 Apr 2010 21:37:45 GMT
From: David McGrew <mcgrew@cisco.com>
To: Dan Harkins <dharkins@lounge.org>
In-Reply-To: <e814847129947fb93ba452075165522d.squirrel@www.trepanning.net>
X-Priority: 3 (Normal)
References: <20100227073250.4D9063A8642@core3.amsl.com> <FE9E5030-975C-4400-B262-44C4A4A25095@cisco.com> <4BA9712D.5030004@htt-consult.com> <90674964-388A-4BF8-92D2-F909AD74883E@cisco.com> <4BAA5D03.9060104@htt-consult.com> <e814847129947fb93ba452075165522d.squirrel@www.trepanning.net>
Message-Id: <FF51BDB9-F7FD-4B66-A644-6C9CAC97DA08@cisco.com>
Content-Type: text/plain; charset="WINDOWS-1252"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Apple Message framework v936)
Date: Fri, 09 Apr 2010 14:37:46 -0700
X-Mailer: Apple Mail (2.936)
Cc: cfrg@irtf.org, Robert Moskowitz <rgm-sec@htt-consult.com>
Subject: Re: [Cfrg] draft-irtf-cfrg-kdf-uses-00
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2010 21:37:53 -0000
Hi Dan, what security level would that provide? Or, for example, what choice of parameters and algorithms would you recommend in order to achieve a 96-bit equivalent security level? My understanding is that, if one uses the implementation strategy that you suggest, and then claims provable security, then they're likely to be unhappy either with the security level that they get or the parameter sizes they'll need to use. David On Mar 24, 2010, at 1:15 PM, Dan Harkins wrote: > > Hi Bob, > > I don't know what the protocol is but if you added a nonce exchange > to the DH exchange (and had appropriate assumptions on the randomness > of the nonces) then you could use the nonces as the key to the CMAC- > based > KDF and the DH shared secret as (part of) the data that's MAC'd. > > regards, > > Dan. > > On Wed, March 24, 2010 11:42 am, Robert Moskowitz wrote: >> David suggested I bring this discussion to the list. >> >> As I have mentioned previously on this list, I want a CMAC based KDF >> where the key was derived from a DH exchange. As you will see below, >> per this ID, CMAC can only be used as a KDF (and this is the case >> in its >> use in NIST 800-108) if the key is uniformly distributed (use case >> #3). >> >> So scan down to the important stuff.... >> >> On 03/24/2010 07:30 AM, David McGrew wrote: >>> Hi Robert, >>> >>> On Mar 23, 2010, at 6:55 PM, Robert Moskowitz wrote: >>> >>>> Further questions... >>>> >>>> Does ECDH keys also fit in use case #2? >>> >>> yes, this use case was meant to cover any public key algorithm whose >>> output is a value that is secret, but which is not a binary string >>> that is uniformly randomly distributed. >>> >>>> >>>> Can you define a KDF for #2 that uses CMAC? It seems from your >>>> document that current there is not one. >>>> >>> >>> Not if you want provable security. >>> >>> From http://people.csail.mit.edu/dodis/ps/hmac.ps: >>> >>> The Extraction Properties of CBC-MAC Mode. We show, in Section 3, >>> that >>> if f is a random permutation over >>> {0, 1}^k and X is an input distribution with min-entropy of at least >>> 2k, then the statistical distance between F (X) (where F represents >>> the function f computed in CBC-MAC mode over L blocks) and the >>> uniform >>> distribution on {0, 1}^k is L · 2^{−k/2}. >>> >>> In practice, using this proof of security would mean that public >>> keys >>> providing 4*n bits of security would be needed in order to be >>> provably >>> secure at the n-bit level. For ECC, this would mean we'd need to >>> use >>> 1024-bit keys (four times 256 bits) in order to claim 128 bits of >>> security based on something "provable". So in short it seems that >>> if >>> one demands "provable security", this is not a good way to go. >> >> I ASSuME you mean used in an ECDH key agreement to get the non- >> uniformly >> distributed key? >> >>> >>> There might be more recent results, but I'm not aware of any. It >>> would be useful to take this discussion to the list, if you don't >>> mind. "I want an AES-based KDF for use case #2" is a good topic for >>> discussion. >> >> OK, I am trying to Grok this... >> >> Does CMAC have the same extraction properties as CBC-MAC? >> >> Someone mentioned that you should first run the DH output through a >> function that uniformly distributes the randomness, then feed it into >> CMAC. But what would that be if not a hash function? And it has >> to be >> tight enough code that it is a reasonable alternative. >> >> Is my only alternative for a 'light weight keying' to pitch DH and >> just >> deliver a random key encrypted with a public ECC key? Then I fit in >> case #3 and can use CMAC? Though an arguement can be made that you >> want >> to pitch DH as well when you strive for a real small code size and >> low >> CPU hit. >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> http://www.irtf.org/mailman/listinfo/cfrg >> > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] draft-irtf-cfrg-kdf-uses-00 David McGrew
- Re: [Cfrg] draft-irtf-cfrg-kdf-uses-00 Zooko Wilcox-O'Hearn
- Re: [Cfrg] draft-irtf-cfrg-kdf-uses-00 Robert Moskowitz
- Re: [Cfrg] draft-irtf-cfrg-kdf-uses-00 Dan Harkins
- Re: [Cfrg] draft-irtf-cfrg-kdf-uses-00 Robert Moskowitz
- Re: [Cfrg] draft-irtf-cfrg-kdf-uses-00 David McGrew
- Re: [Cfrg] draft-irtf-cfrg-kdf-uses-00 Dan Harkins