[dsfjdssdfsd] Should we/4086 focus on key generation, and defer key derivation and key streaming to elsewhere?

Dan Brown <dbrown@certicom.com> Tue, 18 March 2014 17:21 UTC

Return-Path: <dbrown@certicom.com>
X-Original-To: dsfjdssdfsd@ietfa.amsl.com
Delivered-To: dsfjdssdfsd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 607281A06F3 for <dsfjdssdfsd@ietfa.amsl.com>; Tue, 18 Mar 2014 10:21:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YoZsBgOKIqX2 for <dsfjdssdfsd@ietfa.amsl.com>; Tue, 18 Mar 2014 10:21:42 -0700 (PDT)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) by ietfa.amsl.com (Postfix) with ESMTP id EF2341A0728 for <dsfjdssdfsd@ietf.org>; Tue, 18 Mar 2014 10:21:22 -0700 (PDT)
Received: from xct101cnc.rim.net ([10.65.161.201]) by mhs212cnc.rim.net with ESMTP/TLS/AES128-SHA; 18 Mar 2014 13:21:06 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT101CNC.rim.net ([fe80::9c22:d9c:c906:c488%16]) with mapi id 14.03.0174.001; Tue, 18 Mar 2014 13:21:06 -0400
From: Dan Brown <dbrown@certicom.com>
To: "dsfjdssdfsd@ietf.org" <dsfjdssdfsd@ietf.org>
Thread-Topic: Should we/4086 focus on key generation, and defer key derivation and key streaming to elsewhere?
Thread-Index: Ac9CzlkkvLlGCzN4TiODOz6M+NoFrA==
Date: Tue, 18 Mar 2014 17:21:05 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5C59ED3@XMB116CNC.rim.net>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.252]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_0049_01CF42AC.EAFD2320"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/dsfjdssdfsd/hstfQmtdFDJnRpMk5RaPZTC9cSg
Subject: [dsfjdssdfsd] Should we/4086 focus on key generation, and defer key derivation and key streaming to elsewhere?
X-BeenThere: dsfjdssdfsd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The dsfjdssdfsd list provides a venue for discussion of randomness in IETF protocols, for example related to updating RFC 4086." <dsfjdssdfsd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dsfjdssdfsd/>
List-Post: <mailto:dsfjdssdfsd@ietf.org>
List-Help: <mailto:dsfjdssdfsd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Mar 2014 17:21:45 -0000

Hi Random List Members,

 

What classes of "RNGs" are useful (or just used) in cryptography? / Should
4086bis cover them?

 

I provide my three answers to these questions below, but am also interested
in others' answers.

 

Key streams. / No.

 

Key streams take a short shared secret and generate a long key stream
apparently indistinguishable from random. RFC 4086 seems to also cover key
stream (cipher) generation, in Section 6.2 (third paragraph xor'ing one-time
pads) , but it seems too far out of scope for 4086.  CFRG, or each
individual IETF WGs, now covers stream cipher, at least when as one-time
pads.    Beyond one-time pads, key streams may be useful for side-channel
protection, i.e. blinding (or for general purpose non-crypto applications,
in which case, they not crypto security properties may be required).   My
thought; let's exclude key streaming applications from 4086bis and instead
the focus on the more fundamental task of key generation (further below,
after derivation). 

 

Key derivation. / No.

 

Key derivation function take a (shared or not) short secret key, derive yet
more short keys, often customized for a single purpose.  Examples: from TLS
master_key to encryption key; DH raw shared secret conversion to a session
key; perhaps even private DH keys to session keys; passwords to key
conversion via slow, costly function; -- perhaps also even key wrap as in
S/MIME, nonce generation, and even ephemeral secret key generation.  These
seem to be covered by various other specs, so ought not to be included in
4086.  Again, 4086bis ought best to focus of key generation (below).

 

Key generation. / Yes.

 

With no pre-existing short key, this is a task that actually requires some
genuine secret entropy gathering, and perhaps a persistent state (whereas
the streams and derivations are stateless functions).  The output here could
be quite short, since streaming and derivation can easily generate more
keys.  I think it would be good for 4086bis to focus more on this task.  The
term "generation" is a little awkward, because it is does not distinguish
itself well from key derivation.  Note that key derivation and key streaming
already rely on good key generation, so key generation is unavoidable, and
fundamental.

 

///

 

The approach above is task-oriented.  

 

An opposite approach would be tool-oriented: describe RNGs as a general
purpose tool, and how to build them well and so on, and try to target every
possible security goal.  That approach may have poorly defined (or at least
poorly prioritized) set of requirements, but may also have more realistic
implementability.  Perhaps both approaches should be pursued, but I'd hope
for at least a clearly defined set of task-oriented requirements that is
especially careful about key generation.

 

An approach similar to the tool-oriented approach is an attack-oriented
approach, which has been started already in a different thread here, by Nick
M. 

 

Best regards,

 


Daniel Brown


Research In Motion Limited