[Cfrg] AES-based key derivation

David McGrew <mcgrew@cisco.com> Wed, 18 October 2006 13:52 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GaBq5-0004ED-MN; Wed, 18 Oct 2006 09:52:09 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GaBq3-0004E6-T3 for cfrg@ietf.org; Wed, 18 Oct 2006 09:52:07 -0400
Received: from sj-iport-5.cisco.com ([171.68.10.87]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GaBpy-0002Sj-Ge for cfrg@ietf.org; Wed, 18 Oct 2006 09:52:07 -0400
Received: from sj-dkim-7.cisco.com ([171.68.10.88]) by sj-iport-5.cisco.com with ESMTP; 18 Oct 2006 06:52:03 -0700
Received: from sj-core-4.cisco.com (sj-core-4.cisco.com [171.68.223.138]) by sj-dkim-7.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id k9IDq17c021666; Wed, 18 Oct 2006 06:52:01 -0700
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-4.cisco.com (8.12.10/8.12.6) with ESMTP id k9IDq1OV005666; Wed, 18 Oct 2006 06:52:01 -0700 (PDT)
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 18 Oct 2006 06:52:01 -0700
Received: from [192.168.1.100] ([10.32.254.210]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 18 Oct 2006 06:52:01 -0700
Mime-Version: 1.0 (Apple Message framework v752.2)
In-Reply-To: <ed1t4l$mgh$1@taverner.cs.berkeley.edu>
References: <74A5A0C3-8E6E-47B4-A67B-C51ED97B2897@mindspring.com> <ed0td4$5l7$1@taverner.cs.berkeley.edu> <0DCC551A-CC8B-4585-8803-DE2F3BE7FDE5@cisco.com> <ed1t4l$mgh$1@taverner.cs.berkeley.edu>
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <E04B8577-8ADB-46DE-8D2D-B8A2E1DA2D80@cisco.com>
Content-Transfer-Encoding: 7bit
From: David McGrew <mcgrew@cisco.com>
Date: Wed, 18 Oct 2006 06:52:00 -0700
To: David Wagner <daw-usenet@taverner.cs.berkeley.edu>, cfrg@ietf.org
X-Mailer: Apple Mail (2.752.2)
X-OriginalArrivalTime: 18 Oct 2006 13:52:01.0615 (UTC) FILETIME=[964EADF0:01C6F2BC]
DKIM-Signature: a=rsa-sha1; q=dns; l=1593; t=1161179521; x=1162043521; c=relaxed/simple; s=sjdkim7002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mcgrew@cisco.com; z=From:David=20McGrew=20<mcgrew@cisco.com> |Subject:AES-based=20key=20derivation; X=v=3Dcisco.com=3B=20h=3D+RrKc1DVAQJcn1JTfwGmWQEusMM=3D; b=ClzIS0FvUvBL0+1sR5sxN3vLwVnfz4bINU5JhN/sPLYTWm3SYy38qX/dt2ouucy6/0Z8DEr2 uOJRAktRETl8Ibzg3XI4ccwFUWndb893STbFwxIbCcPFnRnoHtFVqZ+v;
Authentication-Results: sj-dkim-7.cisco.com; header.From=mcgrew@cisco.com; dkim=pass ( sig from cisco.com verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 21c69d3cfc2dd19218717dbe1d974352
Cc:
Subject: [Cfrg] AES-based key derivation
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org

Hi David and others,

I'm revisiting an old topic: AES-based key derivation.  It has come  
up in the EMU WG recently, as well as cropping up in the AEAD  
discussion.

On Aug 29, 2006, at 10:22 AM, David Wagner wrote:

> David McGrew  wrote:
>> AFAIK there is no
>> FIPS-140 approved method for deriving an encryption key and a MAC key
>> from a single key using AES.
>
> Well, I would use CMAC for that task.  CMAC is a NIST-approved mode.
> If AES is secure, then AES-CMAC is a secure PRF.  And any secure  
> PRF is
> perfectly fine for deriving an encryption key and a MAC key.
>

It belatedly occurs to me that CMAC, by itself, can't generate 192 or  
256 bit keys.  So we'd need to run CMAC in counter mode.  One way to  
do this is to augment Step 5 of the Concatenation HKDF Algorithm  
(Section 3.1.2 of http://www.ietf.org/internet-drafts/draft-dang- 
nistkdf-01.txt) from

              a. Compute Hash-i = H (counter || SV || algorithmID ||
             contextID {|| SharedInfo}).

to this

              a. Compute Hash-i = AES_CMAC(SV, counter || algorithmID ||
             contextID {|| SharedInfo}).

Comments welcome.  It is not clear to me that we really need to go to  
all the effort to define an AES-only way to derive secret keys from  
other secret keys, but if we do, this seems like a reasonable way to go.

Of course, the case of the authenticated encryption draft (the  
original thread), the contextID field would need to be set to a fixed  
value.  It would be superfluous, but it doesn't hurt to have it there.

David



_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg