RE: [Cfrg] Fwd: Hash-Based Key Derivation
Scott Fluhrer <sfluhrer@cisco.com> Tue, 25 October 2005 20:01 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUUzD-0003kj-Mx; Tue, 25 Oct 2005 16:01:31 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUUzB-0003jy-GP for cfrg@megatron.ietf.org; Tue, 25 Oct 2005 16:01:29 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA18782 for <cfrg@ietf.org>; Tue, 25 Oct 2005 16:01:14 -0400 (EDT)
Received: from sj-iport-5.cisco.com ([171.68.10.87]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EUVCC-0000cg-2H for cfrg@ietf.org; Tue, 25 Oct 2005 16:14:56 -0400
Received: from sj-core-4.cisco.com ([171.68.223.138]) by sj-iport-5.cisco.com with ESMTP; 25 Oct 2005 13:01:17 -0700
X-IronPort-AV: i="3.97,250,1125903600"; d="scan'208"; a="223743275:sNHT748037552"
Received: from irp-view5.cisco.com (irp-view5.cisco.com [171.70.65.142]) by sj-core-4.cisco.com (8.12.10/8.12.6) with ESMTP id j9PK1FUx028584; Tue, 25 Oct 2005 13:01:15 -0700 (PDT)
Date: Tue, 25 Oct 2005 13:01:15 -0700
From: Scott Fluhrer <sfluhrer@cisco.com>
To: "Blumenthal, Uri" <uri.blumenthal@intel.com>
Subject: RE: [Cfrg] Fwd: Hash-Based Key Derivation
In-Reply-To: <3DEC199BD7489643817ECA151F7C5929020EEBB0@pysmsx401.amr.corp.intel.com>
Message-ID: <Pine.GSO.4.63.0510251256480.17882@irp-view5.cisco.com>
References: <3DEC199BD7489643817ECA151F7C5929020EEBB0@pysmsx401.amr.corp.intel.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 082a9cbf4d599f360ac7f815372a6a15
Cc: cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org
On Tue, 25 Oct 2005, Blumenthal, Uri wrote:
>> Is there a proof somewhere that pre-hashing then MACing makes a good
> KDF?
>
> AFAIK - such a proof does not exist (yet?).
>
> Regarding hash - some people claim, that based on their experience,
> crypto-hash output is "random enough". I personally find it somewhat
> "unscientific". :-)
>
>> I'd be interested to see it.
>
> Me too.
Actually, such a proof doesn't exist; you need further assumptions beyond
the standard. Trivial example: take a secure MAC, and produce a varient
by prepending the output with a zero bit:
tMAC(key, text) = 0 + MAC(key, text)
tMAC is obviously a secure MAC if the underlying MAC is, however, it is
obviously not a secure PRF.
Sigh...
>
>> -----Original Message-----
>> From: cfrg-bounces@ietf.org [mailto:cfrg-bounces@ietf.org] On
>> Behalf Of David Wagner
>> Sent: Tuesday, October 25, 2005 2:41 PM
>> To: cfrg@ietf.org
>> Subject: [Cfrg] Fwd: Hash-Based Key Derivation
>>
>>
>> Simon Blake-Wilson writes:
>>> Is it really true that you can build a KDF like this based
>> on standard
>>> assumptions about a MAC? [...] MACs are by design secure only if the
>>> key is pseudorandom, aren't they?
>>
>> Yes, in general, you are right. The fix is to pre-hash the
>> key. So you might use F(S,X) = SHA256-HMAC(SHA256(S), X),
>> where S is the secret.
>>
>> For HMAC, it might just happen to be the case that
>> pre-hashing is unnecessary -- I don't know, and I haven't
>> tried to do the analysis.
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@ietf.org
>> https://www1.ietf.org/mailman/listinfo/cfrg
>>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@ietf.org
> https://www1.ietf.org/mailman/listinfo/cfrg
>
_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David McGrew
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Scott Fluhrer
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Tom Shrimpton
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Blumenthal, Uri
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Scott Fluhrer
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Blumenthal, Uri
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Tom Shrimpton
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Paul Hoffman
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Tom Shrimpton
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation D. J. Bernstein
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Jack Lloyd
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David McGrew
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Jack Lloyd
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… David McGrew
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Jack Lloyd
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein