IETF Logo Mail Archive

Re: [Cfrg] Fwd: Hash-Based Key Derivation

Daniel Brown <DBrown@certicom.com> Tue, 25 October 2005 21:02 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUVwU-0006Hi-GB; Tue, 25 Oct 2005 17:02:46 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUVwR-0006H9-SM for cfrg@megatron.ietf.org; Tue, 25 Oct 2005 17:02:44 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA14117 for <cfrg@ietf.org>; Tue, 25 Oct 2005 17:02:28 -0400 (EDT)
Received: from ns.ca.certicom.com ([66.48.18.197] helo=mail.ca.certicom.com) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1EUW9R-0001pz-IT for cfrg@ietf.org; Tue, 25 Oct 2005 17:16:12 -0400
Received: from spamfilter.certicom.com (localhost.localdomain [127.0.0.1]) by mail.ca.certicom.com (Postfix) with ESMTP id E3EA51018196E; Tue, 25 Oct 2005 17:02:29 -0400 (EDT)
Received: from mail.ca.certicom.com ([127.0.0.1]) by spamfilter.certicom.com (storm [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 09393-30; Tue, 25 Oct 2005 17:02:28 -0400 (EDT)
Received: from certicom1.certicom.com (domino1.certicom.com [10.0.1.24]) by mail.ca.certicom.com (Postfix) with ESMTP id 437891018196C; Tue, 25 Oct 2005 17:02:28 -0400 (EDT)
In-Reply-To: <200510251851.j9PIpwkE017257@taverner.CS.Berkeley.EDU>
To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
Subject: Re: [Cfrg] Fwd: Hash-Based Key Derivation
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 6.5.1 January 21, 2004
Message-ID: <OFE3B12D0F.23E728CC-ON852570A5.0071F8AD-852570A5.0073A6AB@certicom.com>
From: Daniel Brown <DBrown@certicom.com>
Date: Tue, 25 Oct 2005 17:03:28 -0400
X-MIMETrack: Serialize by Router on Certicom1/Certicom(Release 6.5.4|March 27, 2005) at 10/25/2005 05:03:25 PM, Serialize complete at 10/25/2005 05:03:25 PM
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 3fbd9b434023f8abfcb1532abaec7a21
Cc: cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1558099737=="
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

David Wagner wrote on 10/25/2005 02:51:58 PM:

> >> I wanted call your attention to an individual draft on "Hash-Based 
> >> Key Derivation."
> >>       http://www.ietf.org/internet-drafts/draft-dang-nistkdf-00.txt
> 
> General: The document doesn't specify how integers are to be encoded.
> Little-endian?  Big-endian?  It seems to me that protocols that 
reference
> this spec should be required to specify the encoding of integers into
> bit-strings.

The counter in Step 3, Section 2.2 is said to be big-endian.  I presume 
that endian-ness of the various length indicators (for algorithmID, 
contextID, SharedInfo) are intended to specified by the application 
protocol, as this spec only says that they are fixed-length bit strings 
without specifying the length.

> 
> 2.1.2: algorithmOID is variable-length, but there is no length field
> prepended to it.  It seems like this omission should be remedied.

Doesn't algorithmLen do this?  My concern is with the ASCII string 
encoding of algorithmOID: why not use the usual DER encoding?  What ASCII 
string should be encoded?   The sequence of numbers, separated as spaces, 
embedding as ASCII?

Also, traditionally, many object identifiers are associated with some 
parameters, with the whole bundle being called an algorithm identifier.  I 
feel that a proper algorithm identifier would be more appropriate rather 
than just an object identifier with the parameters field cut off.

> 
> 2.1.4: The size of keydatalen is not specified.  It should be.

But keydatalen is an input, how can it be specified?  Do you mean that 
there should be a minimum size for keydatalen?

> 
> 2.1.6: I'm not entirely certain about the requirement that "protocols
> SHOULD support multiple hashes"; perhaps that SHOULD should be a MAY.

Agree.

> 
> 2.2: I agree that the spec should probably be using a PRF (e.g., H-HMAC)

Presumably this is based on two results: (1) HMAC makes a good PRF and (2) 
PRF makes a good KDF.  Are there convenient references for such results? 
If their explanations are short enough, could somebody summarize them to 
me?

> rather than a plain hash (H), 

Moreover, this comments implies some doubt about the security of the more 
direct construction in HKDF, i.e. that without going through a HMAC may 
not only be formally unjustified but perhaps insecure.

> and probably should be pre-hashing the secret
> value with H (depending upon the properties of the PRF).

Wouldn't pre-hashing create a bottleneck for entropy, albeit one large 
enough for adequate security?  With HDKF, if SV contains more than hashlen 
bits of entropy, there's some chance that the DerivedKeyMaterial also 
comes out more than hashlen bits of entropy.  If SV was replace with 
Hash(SV), the maximum entropy would be hashlen. 

> 
> 4: Should there be some discussion about the dangers of hash negotiation
> (e.g., that your security against active attacks might degrade to that
> of the weakest hash supported)?

Agree.

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email