IETF Logo Mail Archive

Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)

Hugo Krawczyk <hugo@ee.technion.ac.il> Fri, 28 October 2005 17:05 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVXfK-00047I-MX; Fri, 28 Oct 2005 13:05:18 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVXfG-00047D-5U for cfrg@megatron.ietf.org; Fri, 28 Oct 2005 13:05:15 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA28880 for <cfrg@ietf.org>; Fri, 28 Oct 2005 13:04:57 -0400 (EDT)
Received: from mailgw2.technion.ac.il ([132.68.238.33]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVXsq-0003UJ-IR for cfrg@ietf.org; Fri, 28 Oct 2005 13:19:18 -0400
Received: from localhost (localhost.localdomain [127.0.0.1]) by mailgw2.technion.ac.il (Postfix) with ESMTP id 420FB3902BA for <cfrg@ietf.org>; Fri, 28 Oct 2005 19:05:12 +0200 (IST)
Received: from mailgw2.technion.ac.il ([127.0.0.1]) by localhost (mailgw2.technion.ac.il [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 01665-01-27 for <cfrg@ietf.org>; Fri, 28 Oct 2005 19:05:12 +0200 (IST)
Received: from ee.technion.ac.il (ee.technion.ac.il [132.68.48.5]) by mailgw2.technion.ac.il (Postfix) with ESMTP id 0E539390264 for <cfrg@ietf.org>; Fri, 28 Oct 2005 19:05:12 +0200 (IST)
Received: from ee.technion.ac.il (localhost [127.0.0.1]) by ee.technion.ac.il (8.12.10+Sun/8.12.2) with ESMTP id j9SH75Ol024888; Fri, 28 Oct 2005 19:07:05 +0200 (IST)
Received: from localhost (hugo@localhost) by ee.technion.ac.il (8.12.10+Sun/8.12.2/Submit) with ESMTP id j9SH72EV024884; Fri, 28 Oct 2005 19:07:05 +0200 (IST)
Date: Fri, 28 Oct 2005 19:07:02 +0200
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
To: Daniel Brown <DBrown@certicom.com>
Subject: Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
In-Reply-To: <OF9F9EB38A.2273A0A8-ON852570A7.006713F9-852570A7.0069970F@certicom.com>
Message-ID: <Pine.GSO.4.44_heb2.09.0510280854340.19210-100000@ee.technion.ac.il>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Virus-Scanned: by amavisd-new at technion.ac.il
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a87a9cdae4ac5d3fbeee75cd0026d632
Cc: cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

Dan,

thanks for the explanation and the pointer to the paper you
mentioned. I do not know if the explanation you give to the prepended
counter is the real reason behind NIST design (unfortunately they do
not offer public rationale) but if so it is yet another good example of
abusing random oracles and leading to ad-hoc constructions

At a high level what the NIST KDF does is to define a transformation from
a shared value SV and counter i into an output Hi using the transformation
Hi=H(i||SV) and assuming that Hi is pseudo random (since Hi is used a
cryptographic key).

In other words they are applying a function with key SV and input i and
hope to produce a pseudo random output. Or, in math notation:
Hi=PRF(SV,i) where PRF(SV,i)=H(i||SV) is intended as a pseudo-random
function and SV as a key (actually they are assuming much more than a
pseudorandom function since SV is NOT a uniform or pseudo-random key but I
will ignore this for now).

The interesting thing is that, according to what you say, they chose to
implement this Hash-based PRF to avoid attacks of complexity 2^160 (!).
For achieving that they resort to a very "sub-optimal" construction of PRF
whose analysis would need to assume that the underlying hash function is
collision resistant. So not only this does not give a "160-bit" security
but an 80-bit security at best (and we know that now it is even <80 bit).

Hugo


On Thu, 27 Oct 2005, Daniel Brown wrote:

> Hugo Krawcyzk wrote on 10/26/2005 07:09:01 PM:
>
> >
> > One final comment about random oracles. Take the example of NIST's KDF.
> > Note that the counter value comes before the SV value. Why?
>
> The paper:
>
> C. Adams, G. Kramer, S. Mister and R. Zuccherato, "On the Security of Key
> Derivation Functions",Information Security - 7th International
> Conference, ISC 2004, Lecture Notes in Computer Science 3225 (2004),
> Springer-Verlag, pp. 134-145.
>
> provides some grounds that putting the counter after the SV in a such a
> KDF based on an iterated hash function like SHA-1 has some risks.
>
> Suppose that the SV was before the counter, the SV is the length of a
> input block of SHA-1, (i.e. 512 bits), SV has min-entropy at least 256
> bits, the KDF is used to generate some number of AES-256 keys.If Eve
> obtains one of the AES keys, and it happens to contain a whole hash output
> block from the KDF, then she can determine all the other AES keys with
> only 2^160 work.Eve just searches through all possible values of the
> first chaining variable, until she finds a match with her sample.All
> other blocks have the same first value of the chaining variable, so she
> can then determine this too.Although this amount of work is infeasible
> today (and for the foreseeable future), it is considerably below the
> objective security level for AES-256, so qualifies as an attack.
>
> Placing the counter before the SV seems to stop this particular attack.
>
> The paper also provides an analysis of the IKE "KDF", and seems to draw a
> similar conclusion.
>
> > I do not really know. Of course, if H is a random oracle then the
> > order of counter and SV is immaterial (as long as it is kept fixed).
> > But with an actual function such as SHA-1 it may make a difference.
> > For example, Preneel and van Oorschot showed that if you are putting
> > a key as part of a hash message then it is best not to put it across
> > block boundaries. If this advise holds here then it might have been
> better
> > to put SV before counter. Now, I have not tried to really analyze this.
> > I am using this as an example showing that the idealization of H as a
> > random oracle may be too much of an abstraction driving us to bad
> > decisions.
> >
> > To make this last (important) point even clearer, think of the
> > design of a MAC. If SHA-1 is to be treated as a random oracle then
> > MAC(K,msg)=SHA-1(K||msg) makes a "provably secure" MAC.But as we
> > know it is *completely insecure* due to extension attacks.One can
> > say: "well we know about extension attacks so we won't do that"
> > (note that this is already an important realization that SHA-1 is
> > NOT a random oracle -- even if the compresion function was purely
> random).
> > So we'll try another construct: MAC(K,msg)=SHA-1(msg||K).
> > How about this one?Again, it is provable secure in the RO model.
> > How secure is it in practice? Until a couple of years ago very secure.
> > Now it is not secure anymore since it is vulnerable to collision attacks
> > on SHA-1!Again, too much confidence (or reliance) on the random oracle
> > approach can easily lead us to bad (or at least sub-optimal) choices.
> >
>
> I agree.The RO model is great for ignoring the role of the hash function
> when analyzing a scheme with many ingredients, i.e. hash andDLog Group,
> but if the hash is the key ingredient, then a proof in the RO model says
> very little.
>
> Dan Brown
> (905) 501-3857
> http://www.certicom.com
>



_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email