[Cfrg] Fwd: Hash-Based Key Derivation
David Wagner <daw@cs.berkeley.edu> Tue, 25 October 2005 22:20 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUXA0-0006HP-71; Tue, 25 Oct 2005 18:20:48 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUX9y-0006H1-4K for cfrg@megatron.ietf.org; Tue, 25 Oct 2005 18:20:46 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA18981 for <cfrg@ietf.org>; Tue, 25 Oct 2005 18:20:30 -0400 (EDT)
Received: from taverner.cs.berkeley.edu ([128.32.168.222]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EUXMz-0004KG-2S for cfrg@ietf.org; Tue, 25 Oct 2005 18:34:14 -0400
Received: from taverner.CS.Berkeley.EDU (localhost.localdomain [127.0.0.1]) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1) with ESMTP id j9PMKWvg022801 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 25 Oct 2005 15:20:32 -0700
Received: (from daw@localhost) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1/Submit) id j9PMKWv9022797; Tue, 25 Oct 2005 15:20:32 -0700
From: David Wagner <daw@cs.berkeley.edu>
Message-Id: <200510252220.j9PMKWv9022797@taverner.CS.Berkeley.EDU>
Subject: [Cfrg] Fwd: Hash-Based Key Derivation
To: cfrg@ietf.org
Date: Tue, 25 Oct 2005 15:20:32 -0700
Secret-Bounce-Tag: 9a029cbee41caf2ca77a77efa3c13981
X-Mailer: ELM [version 2.5 PL6]
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5011df3e2a27abcc044eaa15befcaa87
Content-Transfer-Encoding: 7bit
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org
Daniel Brown writes: >David Wagner wrote on 10/25/2005 02:51:58 PM: >> >> http://www.ietf.org/internet-drafts/draft-dang-nistkdf-00.txt >> >> General: The document doesn't specify how integers are to be encoded. >> Little-endian? Big-endian? It seems to me that protocols that reference >> this spec should be required to specify the encoding of integers into >> bit-strings. > >The counter in Step 3, Section 2.2 is said to be big-endian. Right. It is the only quantity whose endianness is specified. Everything else has its encoding left unspecified. >I presume that endian-ness of the various length indicators (for >algorithmID, contextID, SharedInfo) are intended to specified by the >application protocol, as this spec only says that they are fixed-length >bit strings without specifying the length. I too assume that this is the intent, but having good intentions is not enough. The nistkdf document should explicitly state the requirement that protocols must specify this. If you read my comment above, that is exactly what I suggested. >> 2.1.2: algorithmOID is variable-length, but there is no length field >> prepended to it. It seems like this omission should be remedied. > >Doesn't algorithmLen do this? Yes. You're absolutely right, I read too quickly and I misunderstood. I withdraw my comment. Thanks for the correction. >My concern is with the ASCII string >encoding of algorithmOID: why not use the usual DER encoding? What ASCII >string should be encoded? The sequence of numbers, separated as spaces, >embedding as ASCII? Interesting question. I don't have any suggestions. >> 2.1.4: The size of keydatalen is not specified. It should be. > >But keydatalen is an input, how can it be specified? Do you mean that >there should be a minimum size for keydatalen? Sorry, you're absolutely right. I read too quickly again. Let me try again. Should the value of keydatalen be included in the input to the hash function? It could be relevant if one ever calls the KDF with the same secret value and the same other parameters but with different values of keydatalen. Probably implementors are unlikely to make that mistake, but if the value of keydatalen is included in the input to the hash function, then the size (in bits) of the encoding of keydatalen should be specified by the protocol. >Presumably this is based on two results: (1) HMAC makes a good PRF and (2) >PRF makes a good KDF. Are there convenient references for such results? For (1), I believe the HMAC paper mentions this. It is straightforward to adapt the standard proof that HMAC is a good MAC into a proof that HMAC is a good PRF, modifying the assumptions slightly (instead of assuming that the compression function is a good MAC on single-block inputs, we assume it is a good PRF on single-block inputs, which is just as reasonable an assumption). I'm pretty sure that Hugo K has discussed this on some IETF mailing list or other, though I can't remember where (IPSEC? TLS? CFRG?). For (2), I don't understand the question. Isn't a PRF exactly the obvious and right way of making precise what we expect from a KDF? I have a suspicion that this may be a question of semantics (i.e., of what definitions we attach to KDF). So probably before I can answer whether a PRF makes for something that *you* would call a good PRF, I should ask you whether you can make precise what you mean by a KDF. For me, when I say KDF, what I mean is almost exactly that it should act as a PRF when given secret inputs from some specified distribution(s). >Moreover, this comments implies some doubt about the security of the more >direct construction in HKDF, i.e. that without going through a HMAC may >not only be formally unjustified but perhaps insecure. Let me try putting it another way. Going through a plain hash places more stress on the hash function, possibly in ways that the hash function wasn't designed for. In contrast, a PRF like HMAC was designed precisely for this purpose of handling many chosen-input queries under related inputs. A PRF is the right tool for this job; a hash isn't. A hash might happen to work, or might not, but a PRF like HMAC should give more confidence in the security of the result than a plain hash. Given the recent attacks on hash functions, it's probably a good idea to reduce our dependence on the hashes to the minimal assumptions we can get away with. >Wouldn't pre-hashing create a bottleneck for entropy, albeit one large >enough for adequate security? Yes. I think you've got it exactly right. I don't see an entropy bottleneck as a problem. The obvious instantiation of this scheme will be with SHA256. I can't see any reason to care about a 256-bit bottleneck on entropy. If anyone is worried about attacks with a 2^256 workfactor, they are worrying about the wrong things. _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David McGrew
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Scott Fluhrer
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Tom Shrimpton
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Blumenthal, Uri
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Scott Fluhrer
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Blumenthal, Uri
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Tom Shrimpton
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Paul Hoffman
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Tom Shrimpton
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation D. J. Bernstein
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Jack Lloyd
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David McGrew
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Jack Lloyd
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… David McGrew
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Jack Lloyd
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein