Re: [Cfrg] Key Derivation Functions and Randomized Hashing from NIST
"Dan Harkins" <dharkins@lounge.org> Tue, 27 November 2007 21:32 UTC
Return-path: <cfrg-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ix831-00081K-R1; Tue, 27 Nov 2007 16:32:51 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ix82z-000806-Ss for cfrg@ietf.org; Tue, 27 Nov 2007 16:32:49 -0500
Received: from colo.trepanning.net ([69.55.226.174]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Ix82x-0001pc-R4 for cfrg@ietf.org; Tue, 27 Nov 2007 16:32:49 -0500
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 31C841FA61C2; Tue, 27 Nov 2007 13:32:47 -0800 (PST)
Received: from 216.31.249.246 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Tue, 27 Nov 2007 13:32:47 -0800 (PST)
Message-ID: <18403.216.31.249.246.1196199167.squirrel@www.trepanning.net>
In-Reply-To: <1196102798.474b148e7ffb1@webmail.nist.gov>
References: <E1IwhJm-0008ST-6g@megatron.ietf.org> <1196102798.474b148e7ffb1@webmail.nist.gov>
Date: Tue, 27 Nov 2007 13:32:47 -0800
Subject: Re: [Cfrg] Key Derivation Functions and Randomized Hashing from NIST
From: Dan Harkins <dharkins@lounge.org>
To: qdang@nist.gov
User-Agent: SquirrelMail/1.4.8
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
X-Priority: 3 (Normal)
Importance: Normal
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-Scan-Signature: 9a2be21919e71dc6faef12b370c4ecf5
Cc: tim.polk@nist.gov, cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org
Hi Quynh, Thank you for soliciting input on a new KDF. Let me provide some: 1. Please consider a KDF which uses a PRF based on a symmetric cipher and not just an HMAC of a hash function. It is desirable to implement a secure system with a minimum of cryptographic primitives and the assumptions placed on them. 2. Please consider speed. Sometimes a KDF is a one-off function performed after key agreement. But in some situations this is not realistic. For instance in a mesh network (e.g. IEEE 802.11s) environmental changes can cause links to go up and down repeatedly and session keys may need to be derived frequently from the shared secret. Also, various "fast roaming" schemes are being proposed in which a "master key" is used in a KDF to derive scores, and perhaps hundreds, of keys (e.g. the HOKEY WG in the IETF, or IEEE 802.11r). 3. The KDF in 800-56A is KDF(Z, Otherinput) where Z is the secret, and Otherinput is the keydatalen and Otherdata. Otherdata is defined as at least 3 and possibly 5 distinct inputs all concatenated together. This is the way most people define KDFs: it takes a key, a keydatalen, and then a single input comprised of the concatenation of several distinct inputs. Please consider this as the degenerate case of a KDF with a KDF that can accept distinct inputs distinctly as the general case. In other words I'd like to see an interface like this: KDF(Z, keydatalen, data1, data2, data3, ....) instead of like this: KDF(Z, keydatalen, data1|data2|data3|...) Many times the data passed to the KDF is some context and/or a label to bind to the derived key. Often much of this is constant over many invocations of the KDF and there are efficiencies that can trivially gained with a KDF using the former input and not the later input. If the underlying PRF takes a single input then the data can be marshalled into a single input as it is today but the interface to the KDF should not preclude a PRF that handles its input naturally. Again, a single input should be supported as the degenerate case but not mandated as the general case. To answer your question about alternative designs I would like you to consider S2V (from the paper "Deterministic Authenticated Encryption" by Rogaway and Shrimpton). A KDF based on this was recently voted into the IEEE 802.11s draft. The new 802.11s KDF uses S2V with AES-CMAC (number 1 above), it is approximately four times faster than the HMACSHA256-based KDF it replaced (number 2 above), and accepts a vector of distinct inputs (number 3 above). I look forward seeing you in Vancouver. And thanks again, Dan. On Mon, November 26, 2007 10:46 am, qdang@nist.gov wrote: > As many of you know, NIST has specified two standard KDFs for use with > key agreement algorithms (e.g., Diffie-Hellman or MQV) in NIST SP > 800-56A. NIST is considering supplementing the 800-56A KDFs with a > more broadly applicable KDF. In particular, NIST is considering a > proposal > for an HMAC-based KDF. Before committing resources to this effort, we > would > like to get a better handle on the requirements seen by protocol > developers and evaluate the level of support for such a standard. We > would > also like to identify alternative designs that should be considered. > > NIST also posted a draft publication of randomized hashing for public > comment in July. This project was inspired by Shai Halevi and Hugo > Krawczyk's > publication on randomized hashing, which can be found at > http://www.ee.technion.ac.il/~hugo/rhash/. The NIST draft is located at > http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-106. The > randomization technique in this publication is slightly different > from the technique designed by Shai Halevi and Hugo Krawczyk. NIST is > currently seeking feedback with respect to the applicability of > randomization techniques for IETF protocols, and the relative impediments > to > implementation and deployment. > > I will attend the IETF meeting in Vancouver Canada from the 2nd to > the 7th of December 2007 and would like to take this opportunity to > discuss > the issues mentioned above with parties who have interest in these topics. > > Quynh Dang > NIST > quynh.dang@nist.gov > > _______________________________________________ > Cfrg mailing list > Cfrg@ietf.org > https://www1.ietf.org/mailman/listinfo/cfrg > _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg