[Cfrg] AES-based key derivation
David McGrew <mcgrew@cisco.com> Wed, 18 October 2006 13:52 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GaBq5-0004ED-MN; Wed, 18 Oct 2006 09:52:09 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GaBq3-0004E6-T3 for cfrg@ietf.org; Wed, 18 Oct 2006 09:52:07 -0400
Received: from sj-iport-5.cisco.com ([171.68.10.87]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GaBpy-0002Sj-Ge for cfrg@ietf.org; Wed, 18 Oct 2006 09:52:07 -0400
Received: from sj-dkim-7.cisco.com ([171.68.10.88]) by sj-iport-5.cisco.com with ESMTP; 18 Oct 2006 06:52:03 -0700
Received: from sj-core-4.cisco.com (sj-core-4.cisco.com [171.68.223.138]) by sj-dkim-7.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id k9IDq17c021666; Wed, 18 Oct 2006 06:52:01 -0700
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-4.cisco.com (8.12.10/8.12.6) with ESMTP id k9IDq1OV005666; Wed, 18 Oct 2006 06:52:01 -0700 (PDT)
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 18 Oct 2006 06:52:01 -0700
Received: from [192.168.1.100] ([10.32.254.210]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 18 Oct 2006 06:52:01 -0700
Mime-Version: 1.0 (Apple Message framework v752.2)
In-Reply-To: <ed1t4l$mgh$1@taverner.cs.berkeley.edu>
References: <74A5A0C3-8E6E-47B4-A67B-C51ED97B2897@mindspring.com> <ed0td4$5l7$1@taverner.cs.berkeley.edu> <0DCC551A-CC8B-4585-8803-DE2F3BE7FDE5@cisco.com> <ed1t4l$mgh$1@taverner.cs.berkeley.edu>
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <E04B8577-8ADB-46DE-8D2D-B8A2E1DA2D80@cisco.com>
Content-Transfer-Encoding: 7bit
From: David McGrew <mcgrew@cisco.com>
Date: Wed, 18 Oct 2006 06:52:00 -0700
To: David Wagner <daw-usenet@taverner.cs.berkeley.edu>, cfrg@ietf.org
X-Mailer: Apple Mail (2.752.2)
X-OriginalArrivalTime: 18 Oct 2006 13:52:01.0615 (UTC) FILETIME=[964EADF0:01C6F2BC]
DKIM-Signature: a=rsa-sha1; q=dns; l=1593; t=1161179521; x=1162043521; c=relaxed/simple; s=sjdkim7002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mcgrew@cisco.com; z=From:David=20McGrew=20<mcgrew@cisco.com> |Subject:AES-based=20key=20derivation; X=v=3Dcisco.com=3B=20h=3D+RrKc1DVAQJcn1JTfwGmWQEusMM=3D; b=ClzIS0FvUvBL0+1sR5sxN3vLwVnfz4bINU5JhN/sPLYTWm3SYy38qX/dt2ouucy6/0Z8DEr2 uOJRAktRETl8Ibzg3XI4ccwFUWndb893STbFwxIbCcPFnRnoHtFVqZ+v;
Authentication-Results: sj-dkim-7.cisco.com; header.From=mcgrew@cisco.com; dkim=pass ( sig from cisco.com verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 21c69d3cfc2dd19218717dbe1d974352
Cc:
Subject: [Cfrg] AES-based key derivation
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org
Hi David and others, I'm revisiting an old topic: AES-based key derivation. It has come up in the EMU WG recently, as well as cropping up in the AEAD discussion. On Aug 29, 2006, at 10:22 AM, David Wagner wrote: > David McGrew wrote: >> AFAIK there is no >> FIPS-140 approved method for deriving an encryption key and a MAC key >> from a single key using AES. > > Well, I would use CMAC for that task. CMAC is a NIST-approved mode. > If AES is secure, then AES-CMAC is a secure PRF. And any secure > PRF is > perfectly fine for deriving an encryption key and a MAC key. > It belatedly occurs to me that CMAC, by itself, can't generate 192 or 256 bit keys. So we'd need to run CMAC in counter mode. One way to do this is to augment Step 5 of the Concatenation HKDF Algorithm (Section 3.1.2 of http://www.ietf.org/internet-drafts/draft-dang- nistkdf-01.txt) from a. Compute Hash-i = H (counter || SV || algorithmID || contextID {|| SharedInfo}). to this a. Compute Hash-i = AES_CMAC(SV, counter || algorithmID || contextID {|| SharedInfo}). Comments welcome. It is not clear to me that we really need to go to all the effort to define an AES-only way to derive secret keys from other secret keys, but if we do, this seems like a reasonable way to go. Of course, the case of the authenticated encryption draft (the original thread), the contextID field would need to be set to a fixed value. It would be superfluous, but it doesn't hurt to have it there. David _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft Hal Finney
- Re: [Cfrg] new authenticated encryption draft Greg Rose
- Re: [Cfrg] new authenticated encryption draft Ted Krovetz
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- RE: [Cfrg] new authenticated encryption draft Scott Fluhrer
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David Wagner
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft Hal Finney
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David Wagner
- RE: [Cfrg] new authenticated encryption draft Santosh Chokhani
- Re: [Cfrg] new authenticated encryption draft Ken Raeburn
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- Re: [Cfrg] new authenticated encryption draft Steven M. Bellovin
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- RE: [Cfrg] new authenticated encryption draft Blumenthal, Uri
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft Tom Shrimpton
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- RE: [Cfrg] new authenticated encryption draft Doug Whiting
- Re: [Cfrg] new authenticated encryption draft Steven M. Bellovin
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- RE: [Cfrg] new authenticated encryption draft Tom Shrimpton
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft Phillip Rogaway
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- [Cfrg] AES-based key derivation David McGrew