Re: [Cfrg] Re: Changing the key deriveration
canetti <canetti@watson.ibm.com> Tue, 24 February 2004 00:24 UTC
Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA04635 for <cfrg-archive@odin.ietf.org>; Mon, 23 Feb 2004 19:24:08 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AvQMM-0004zH-KG for cfrg-archive@odin.ietf.org; Mon, 23 Feb 2004 19:23:39 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i1O0NcHx019165 for cfrg-archive@odin.ietf.org; Mon, 23 Feb 2004 19:23:38 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AvQMM-0004z2-76 for cfrg-web-archive@optimus.ietf.org; Mon, 23 Feb 2004 19:23:38 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA04524 for <cfrg-web-archive@ietf.org>; Mon, 23 Feb 2004 19:23:35 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AvQMJ-0007Xp-00 for cfrg-web-archive@ietf.org; Mon, 23 Feb 2004 19:23:35 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1AvQLS-0007S5-00 for cfrg-web-archive@ietf.org; Mon, 23 Feb 2004 19:22:43 -0500
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1AvQKa-0007OU-00 for cfrg-web-archive@ietf.org; Mon, 23 Feb 2004 19:21:48 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AvQJp-0004s9-Ow; Mon, 23 Feb 2004 19:21:01 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AvQJN-0004rY-TD for cfrg@optimus.ietf.org; Mon, 23 Feb 2004 19:20:36 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA04243 for <cfrg@ietf.org>; Mon, 23 Feb 2004 19:20:30 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AvQJM-0007HY-00 for cfrg@ietf.org; Mon, 23 Feb 2004 19:20:32 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1AvQIQ-0007EC-00 for cfrg@ietf.org; Mon, 23 Feb 2004 19:19:34 -0500
Received: from igw2.watson.ibm.com ([129.34.20.6]) by ietf-mx with esmtp (Exim 4.12) id 1AvQII-0007BC-00 for cfrg@ietf.org; Mon, 23 Feb 2004 19:19:26 -0500
Received: from sp1n293en1.watson.ibm.com (sp1n293en1.watson.ibm.com [129.34.20.41]) by igw2.watson.ibm.com (8.11.7-20030924/8.11.4) with ESMTP id i1O0InF20876; Mon, 23 Feb 2004 19:18:49 -0500
Received: from ornavella.watson.ibm.com (ornavella.watson.ibm.com [9.2.16.80]) by sp1n293en1.watson.ibm.com (8.11.7-20030924/8.11.7/8.11.7-01-14-2004) with ESMTP id i1O0Im754436; Mon, 23 Feb 2004 19:18:49 -0500
Received: from localhost (canetti@localhost) by ornavella.watson.ibm.com (AIX5.1/8.11.6p2/8.11.0/03-06-2002) with ESMTP id i1O0ImI16348; Mon, 23 Feb 2004 19:18:48 -0500
Date: Mon, 23 Feb 2004 19:18:47 -0500
From: canetti <canetti@watson.ibm.com>
To: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
cc: cfrg@ietf.org, ipsec@lists.tislabs.com, Charlie Kaufman <ckaufman@microsoft.com>, Hugo Krawczyk <hugo@ee.technion.ac.il>, "The Purple Streak, Hilarie Orman" <ho@alum.mit.edu>
Subject: Re: [Cfrg] Re: Changing the key deriveration
In-Reply-To: <p06020427bc5c6de73978@[63.202.92.153]>
Message-ID: <Pine.A41.4.10.10402231839040.31144-100000@ornavella.watson.ibm.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: cfrg-admin@ietf.org
Errors-To: cfrg-admin@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.60
Sorry for the delayed reaction. Let me try to be concise: 1. I strongly support the move to change the spec. Using the same key to two different algorithms is a big "no no" that, on top of other drawbacks, does not allow mathematical proofs of security to go through. (Not being amenable to analysis is a considerable *practical* weakness, even if do not see how to turn the weakness into an explicit attack...) 2. Both the solution suggested by Hugo (to derive two more keys from SEEDKEY, to be used for the PRF by the sender/responder, respectively), and the solution suggested by Hilarie (to use SK_d, the key meant for deriving the IPSEC keying material as the key to the PRF) are in principle sound. However, Hugo's solution seems somewhat more robust: It seems preferable to keep the ``virginity'' of the derivation key, SK_d, and refrain from using it inside the protocol. This feeling is compounded by the fact that in the password-based authentication mode the PRF is applied to messages of a generic password-based protocol, so the door may be open to "oracle attacks" that use the parties to obtain values of PRF(SK_d,...) on desired values. So, in conclusion, if we're already changing the spec for better analyzability/provability, then I think we should play it safe and derive two extra keys from SEEDKEY, rather than use SK_d. (The difference in performance and complexity between the two options seems minimal.) Ran On Fri, 20 Feb 2004, Paul Hoffman / VPNC wrote: > At 9:57 PM +0200 2/17/04, Hugo Krawczyk wrote: > >Anyway, replacing SK_ai and SK_ar in the above text (as well as in 2.15, > >first paragraph) with SK_d does resolve the problem of using two > >algorithms (prf and integrity) with the same key, and it is much better > >than what is done now. > > There have been no more comments on this, and the ADs are still > waiting for a final draft of this document so they can move all three > IKEv2 documents to IETF last call. > > Charlie: are you OK with this solution? If so, can you get the new > draft out soon, such as when the Internet Drafts window opens? > > --Paul Hoffman, Director > --VPN Consortium > > _______________________________________________ > Cfrg mailing list > Cfrg@ietf.org > https://www1.ietf.org/mailman/listinfo/cfrg > _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] Re: Changing the key deriveration Hugo Krawczyk
- Re: [Cfrg] Re: Changing the key deriveration Greg Rose
- Re: [Cfrg] Re: Changing the key deriveration The Purple Streak, Hilarie Orman
- Re: [Cfrg] Re: Changing the key deriveration Hugo Krawczyk
- Re: [Cfrg] Re: Changing the key deriveration Paul Hoffman / VPNC
- Re: [Cfrg] Re: Changing the key deriveration canetti
- Re: [Cfrg] Re: Changing the key deriveration Theodore Ts'o
- Re: [Cfrg] Re: Changing the key deriveration David A. McGrew