IETF Logo Mail Archive

RE: [Cfrg] Fwd: Hash-Based Key Derivation

"Simon Blake-Wilson" <sblakewilson@bcisse.com> Tue, 25 October 2005 19:13 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUUEl-0000wI-R8; Tue, 25 Oct 2005 15:13:31 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUUEk-0000w7-3T for cfrg@megatron.ietf.org; Tue, 25 Oct 2005 15:13:30 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA13362 for <cfrg@ietf.org>; Tue, 25 Oct 2005 15:13:15 -0400 (EDT)
Received: from 209-204-118-122.sniparpa.net ([209.204.118.122] helo=bcisse.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EUURi-0006bG-31 for cfrg@ietf.org; Tue, 25 Oct 2005 15:26:57 -0400
Received: from simon (toronto-HSE-ppp4155839.sympatico.ca [70.51.124.85]) by bcisse.com; Tue, 25 Oct 2005 15:11:52 -0400
From: Simon Blake-Wilson <sblakewilson@bcisse.com>
To: cfrg@ietf.org
Subject: RE: [Cfrg] Fwd: Hash-Based Key Derivation
Date: Tue, 25 Oct 2005 15:11:50 -0400
Message-ID: <018b01c5d997$f45b7250$0200a8c0@simon>
MIME-Version: 1.0
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.6626
In-Reply-To: <200510251841.j9PIfEV2016969@taverner.CS.Berkeley.EDU>
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 67c1ea29f88502ef6a32ccec927970f0
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0430213577=="
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

Hi David,

Is there a proof somewhere that pre-hashing then MACing makes a good KDF?
I'd be interested to see it. In fact I'd settle for a good formal
definition of secure KDF ... Any pointers?

Best regards. Simon

> -----Original Message-----
> From: cfrg-bounces@ietf.org [mailto:cfrg-bounces@ietf.org] On 
> Behalf Of David Wagner
> Sent: Tuesday, October 25, 2005 2:41 PM
> To: cfrg@ietf.org
> Subject: [Cfrg] Fwd: Hash-Based Key Derivation
> 
> 
> Simon Blake-Wilson writes:
> >Is it really true that you can build a KDF like this based 
> on standard 
> >assumptions about a MAC? [...] MACs are by design secure only if the
> >key is pseudorandom, aren't they?
> 
> Yes, in general, you are right.  The fix is to pre-hash the 
> key. So you might use F(S,X) = SHA256-HMAC(SHA256(S), X), 
> where S is the secret.
> 
> For HMAC, it might just happen to be the case that 
> pre-hashing is unnecessary -- I don't know, and I haven't 
> tried to do the analysis.
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@ietf.org
> https://www1.ietf.org/mailman/listinfo/cfrg
> 

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email