IETF Logo Mail Archive

Re: [Cfrg] draft-irtf-cfrg-kdf-uses-00

"Dan Harkins" <dharkins@lounge.org> Sat, 10 April 2010 00:51 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@core3.amsl.com
Delivered-To: cfrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EC9263A69E3 for <cfrg@core3.amsl.com>; Fri, 9 Apr 2010 17:51:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.466
X-Spam-Level:
X-Spam-Status: No, score=-5.466 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4, SARE_SUB_RAND_LETTRS4=0.799]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qGRP0Qi0iuis for <cfrg@core3.amsl.com>; Fri, 9 Apr 2010 17:51:47 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by core3.amsl.com (Postfix) with ESMTP id B150E3A6811 for <cfrg@irtf.org>; Fri, 9 Apr 2010 17:51:47 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 7E7E61022404A; Fri, 9 Apr 2010 17:51:43 -0700 (PDT)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Fri, 9 Apr 2010 17:51:43 -0700 (PDT)
Message-ID: <61c228be68923cdfa483939385de5809.squirrel@www.trepanning.net>
In-Reply-To: <FF51BDB9-F7FD-4B66-A644-6C9CAC97DA08@cisco.com>
References: <20100227073250.4D9063A8642@core3.amsl.com> <FE9E5030-975C-4400-B262-44C4A4A25095@cisco.com> <4BA9712D.5030004@htt-consult.com> <90674964-388A-4BF8-92D2-F909AD74883E@cisco.com> <4BAA5D03.9060104@htt-consult.com> <e814847129947fb93ba452075165522d.squirrel@www.trepanning.net> <FF51BDB9-F7FD-4B66-A644-6C9CAC97DA08@cisco.com>
Date: Fri, 09 Apr 2010 17:51:43 -0700
From: Dan Harkins <dharkins@lounge.org>
To: David McGrew <mcgrew@cisco.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: cfrg@irtf.org, Robert Moskowitz <rgm-sec@htt-consult.com>
Subject: Re: [Cfrg] draft-irtf-cfrg-kdf-uses-00
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Apr 2010 00:51:49 -0000

  Hi David,

  Good question! My (probably naive) answer is that using a block cipher
with a block size of 128 bits and assuming the nonces are uniformly random
to provide a random permutation of the block cipher then the DH secret
input to the CBC-MAC function must be from a group with an order of at
least 2^256, which for ECP groups that would correspond to a prime of at
least 512 bits, and then the 128-bit output would be computationally
indistinguishable from random. So I think the 521-bit random ECP group
from RFC 5114 would do the trick.

  Please correct me where I'm wrong.

  Dan.

On Fri, April 9, 2010 2:37 pm, David McGrew wrote:
> Hi Dan,
>
> what security level would that provide?   Or, for example, what choice
> of parameters and algorithms would you recommend in order to achieve a
> 96-bit equivalent security level?    My understanding is that, if one
> uses the implementation strategy that you suggest, and then claims
> provable security, then they're likely to be unhappy either with the
> security level that they get or the parameter sizes they'll need to use.
>
> David
>
> On Mar 24, 2010, at 1:15 PM, Dan Harkins wrote:
>
>>
>>  Hi Bob,
>>
>>  I don't know what the protocol is but if you added a nonce exchange
>> to the DH exchange (and had appropriate assumptions on the randomness
>> of the nonces) then you could use the nonces as the key to the CMAC-
>> based
>> KDF and the DH shared secret as (part of) the data that's MAC'd.
>>
>>  regards,
>>
>>  Dan.
>>
>> On Wed, March 24, 2010 11:42 am, Robert Moskowitz wrote:
>>> David suggested I bring this discussion to the list.
>>>
>>> As I have mentioned previously on this list, I want a CMAC based KDF
>>> where the key was derived from a DH exchange.  As you will see below,
>>> per this ID, CMAC can only be used as a KDF (and this is the case
>>> in its
>>> use in NIST 800-108) if the key is uniformly distributed (use case
>>> #3).
>>>
>>> So scan down to the important stuff....
>>>
>>> On 03/24/2010 07:30 AM, David McGrew wrote:
>>>> Hi Robert,
>>>>
>>>> On Mar 23, 2010, at 6:55 PM, Robert Moskowitz wrote:
>>>>
>>>>> Further questions...
>>>>>
>>>>> Does ECDH keys also fit in use case #2?
>>>>
>>>> yes, this use case was meant to cover any public key algorithm whose
>>>> output is a value that is secret, but which is not a binary string
>>>> that is uniformly randomly distributed.
>>>>
>>>>>
>>>>> Can you define a KDF for #2 that uses CMAC? It seems from your
>>>>> document that current there is not one.
>>>>>
>>>>
>>>> Not if you want provable security.
>>>>
>>>> From http://people.csail.mit.edu/dodis/ps/hmac.ps:
>>>>
>>>> The Extraction Properties of CBC-MAC Mode. We show, in Section 3,
>>>> that
>>>> if f is a random permutation over
>>>> {0, 1}^k and X is an input distribution with min-entropy of at least
>>>> 2k, then the statistical distance between F (X) (where F represents
>>>> the function f computed in CBC-MAC mode over L blocks) and the
>>>> uniform
>>>> distribution on {0, 1}^k is L · 2^{−k/2}.
>>>>
>>>> In practice, using this proof of security would mean that public
>>>> keys
>>>> providing 4*n bits of security would be needed in order to be
>>>> provably
>>>> secure at the n-bit level.  For ECC, this would mean we'd need to
>>>> use
>>>> 1024-bit keys (four times 256 bits) in order to claim 128 bits of
>>>> security based on something "provable".  So in short it seems that
>>>> if
>>>> one demands "provable security", this is not a good way to go.
>>>
>>> I ASSuME you mean used in an ECDH key agreement to get the non-
>>> uniformly
>>> distributed key?
>>>
>>>>
>>>> There might be more recent results, but I'm not aware of any.   It
>>>> would be useful to take this discussion to the list, if you don't
>>>> mind.  "I want an AES-based KDF for use case #2" is a good topic for
>>>> discussion.
>>>
>>> OK, I am trying to Grok this...
>>>
>>> Does CMAC have the same extraction properties as CBC-MAC?
>>>
>>> Someone mentioned that you should first run the DH output through a
>>> function that uniformly distributes the randomness, then feed it into
>>> CMAC.  But what would that be if not a hash function?  And it has
>>> to be
>>> tight enough code that it is a reasonable alternative.
>>>
>>> Is my only alternative for a 'light weight keying' to pitch DH and
>>> just
>>> deliver a random key encrypted with a public ECC key?   Then I fit in
>>> case #3 and can use CMAC?  Though an arguement can be made that you
>>> want
>>> to pitch DH as well when you strive for a real small code size and
>>> low
>>> CPU hit.
>>>
>>> _______________________________________________
>>> Cfrg mailing list
>>> Cfrg@irtf.org
>>> http://www.irtf.org/mailman/listinfo/cfrg
>>>
>>
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg
>
>

v2.23.0 | Report a Bug | By Email