Re: [Cfrg] Fwd: Hash-Based Key Derivation
Daniel Brown <DBrown@certicom.com> Tue, 25 October 2005 21:02 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUVwU-0006Hi-GB; Tue, 25 Oct 2005 17:02:46 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUVwR-0006H9-SM for cfrg@megatron.ietf.org; Tue, 25 Oct 2005 17:02:44 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA14117 for <cfrg@ietf.org>; Tue, 25 Oct 2005 17:02:28 -0400 (EDT)
Received: from ns.ca.certicom.com ([66.48.18.197] helo=mail.ca.certicom.com) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1EUW9R-0001pz-IT for cfrg@ietf.org; Tue, 25 Oct 2005 17:16:12 -0400
Received: from spamfilter.certicom.com (localhost.localdomain [127.0.0.1]) by mail.ca.certicom.com (Postfix) with ESMTP id E3EA51018196E; Tue, 25 Oct 2005 17:02:29 -0400 (EDT)
Received: from mail.ca.certicom.com ([127.0.0.1]) by spamfilter.certicom.com (storm [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 09393-30; Tue, 25 Oct 2005 17:02:28 -0400 (EDT)
Received: from certicom1.certicom.com (domino1.certicom.com [10.0.1.24]) by mail.ca.certicom.com (Postfix) with ESMTP id 437891018196C; Tue, 25 Oct 2005 17:02:28 -0400 (EDT)
In-Reply-To: <200510251851.j9PIpwkE017257@taverner.CS.Berkeley.EDU>
To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
Subject: Re: [Cfrg] Fwd: Hash-Based Key Derivation
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 6.5.1 January 21, 2004
Message-ID: <OFE3B12D0F.23E728CC-ON852570A5.0071F8AD-852570A5.0073A6AB@certicom.com>
From: Daniel Brown <DBrown@certicom.com>
Date: Tue, 25 Oct 2005 17:03:28 -0400
X-MIMETrack: Serialize by Router on Certicom1/Certicom(Release 6.5.4|March 27, 2005) at 10/25/2005 05:03:25 PM, Serialize complete at 10/25/2005 05:03:25 PM
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 3fbd9b434023f8abfcb1532abaec7a21
Cc: cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1558099737=="
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org
David Wagner wrote on 10/25/2005 02:51:58 PM: > >> I wanted call your attention to an individual draft on "Hash-Based > >> Key Derivation." > >> http://www.ietf.org/internet-drafts/draft-dang-nistkdf-00.txt > > General: The document doesn't specify how integers are to be encoded. > Little-endian? Big-endian? It seems to me that protocols that reference > this spec should be required to specify the encoding of integers into > bit-strings. The counter in Step 3, Section 2.2 is said to be big-endian. I presume that endian-ness of the various length indicators (for algorithmID, contextID, SharedInfo) are intended to specified by the application protocol, as this spec only says that they are fixed-length bit strings without specifying the length. > > 2.1.2: algorithmOID is variable-length, but there is no length field > prepended to it. It seems like this omission should be remedied. Doesn't algorithmLen do this? My concern is with the ASCII string encoding of algorithmOID: why not use the usual DER encoding? What ASCII string should be encoded? The sequence of numbers, separated as spaces, embedding as ASCII? Also, traditionally, many object identifiers are associated with some parameters, with the whole bundle being called an algorithm identifier. I feel that a proper algorithm identifier would be more appropriate rather than just an object identifier with the parameters field cut off. > > 2.1.4: The size of keydatalen is not specified. It should be. But keydatalen is an input, how can it be specified? Do you mean that there should be a minimum size for keydatalen? > > 2.1.6: I'm not entirely certain about the requirement that "protocols > SHOULD support multiple hashes"; perhaps that SHOULD should be a MAY. Agree. > > 2.2: I agree that the spec should probably be using a PRF (e.g., H-HMAC) Presumably this is based on two results: (1) HMAC makes a good PRF and (2) PRF makes a good KDF. Are there convenient references for such results? If their explanations are short enough, could somebody summarize them to me? > rather than a plain hash (H), Moreover, this comments implies some doubt about the security of the more direct construction in HKDF, i.e. that without going through a HMAC may not only be formally unjustified but perhaps insecure. > and probably should be pre-hashing the secret > value with H (depending upon the properties of the PRF). Wouldn't pre-hashing create a bottleneck for entropy, albeit one large enough for adequate security? With HDKF, if SV contains more than hashlen bits of entropy, there's some chance that the DerivedKeyMaterial also comes out more than hashlen bits of entropy. If SV was replace with Hash(SV), the maximum entropy would be hashlen. > > 4: Should there be some discussion about the dangers of hash negotiation > (e.g., that your security against active attacks might degrade to that > of the weakest hash supported)? Agree.
_______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David McGrew
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Scott Fluhrer
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Tom Shrimpton
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Blumenthal, Uri
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Scott Fluhrer
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Blumenthal, Uri
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Tom Shrimpton
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Paul Hoffman
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Tom Shrimpton
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation D. J. Bernstein
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Jack Lloyd
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David McGrew
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Jack Lloyd
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… David McGrew
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Jack Lloyd
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein