[dsfjdssdfsd] Should we/4086 focus on key generation, and defer key derivation and key streaming to elsewhere?
Dan Brown <dbrown@certicom.com> Tue, 18 March 2014 17:21 UTC
Return-Path: <dbrown@certicom.com>
X-Original-To: dsfjdssdfsd@ietfa.amsl.com
Delivered-To: dsfjdssdfsd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 607281A06F3 for <dsfjdssdfsd@ietfa.amsl.com>; Tue, 18 Mar 2014 10:21:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YoZsBgOKIqX2 for <dsfjdssdfsd@ietfa.amsl.com>; Tue, 18 Mar 2014 10:21:42 -0700 (PDT)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) by ietfa.amsl.com (Postfix) with ESMTP id EF2341A0728 for <dsfjdssdfsd@ietf.org>; Tue, 18 Mar 2014 10:21:22 -0700 (PDT)
Received: from xct101cnc.rim.net ([10.65.161.201]) by mhs212cnc.rim.net with ESMTP/TLS/AES128-SHA; 18 Mar 2014 13:21:06 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT101CNC.rim.net ([fe80::9c22:d9c:c906:c488%16]) with mapi id 14.03.0174.001; Tue, 18 Mar 2014 13:21:06 -0400
From: Dan Brown <dbrown@certicom.com>
To: "dsfjdssdfsd@ietf.org" <dsfjdssdfsd@ietf.org>
Thread-Topic: Should we/4086 focus on key generation, and defer key derivation and key streaming to elsewhere?
Thread-Index: Ac9CzlkkvLlGCzN4TiODOz6M+NoFrA==
Date: Tue, 18 Mar 2014 17:21:05 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5C59ED3@XMB116CNC.rim.net>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.252]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0049_01CF42AC.EAFD2320"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/dsfjdssdfsd/hstfQmtdFDJnRpMk5RaPZTC9cSg
Subject: [dsfjdssdfsd] Should we/4086 focus on key generation, and defer key derivation and key streaming to elsewhere?
X-BeenThere: dsfjdssdfsd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The dsfjdssdfsd list provides a venue for discussion of randomness in IETF protocols, for example related to updating RFC 4086." <dsfjdssdfsd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dsfjdssdfsd/>
List-Post: <mailto:dsfjdssdfsd@ietf.org>
List-Help: <mailto:dsfjdssdfsd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Mar 2014 17:21:45 -0000
Hi Random List Members, What classes of "RNGs" are useful (or just used) in cryptography? / Should 4086bis cover them? I provide my three answers to these questions below, but am also interested in others' answers. Key streams. / No. Key streams take a short shared secret and generate a long key stream apparently indistinguishable from random. RFC 4086 seems to also cover key stream (cipher) generation, in Section 6.2 (third paragraph xor'ing one-time pads) , but it seems too far out of scope for 4086. CFRG, or each individual IETF WGs, now covers stream cipher, at least when as one-time pads. Beyond one-time pads, key streams may be useful for side-channel protection, i.e. blinding (or for general purpose non-crypto applications, in which case, they not crypto security properties may be required). My thought; let's exclude key streaming applications from 4086bis and instead the focus on the more fundamental task of key generation (further below, after derivation). Key derivation. / No. Key derivation function take a (shared or not) short secret key, derive yet more short keys, often customized for a single purpose. Examples: from TLS master_key to encryption key; DH raw shared secret conversion to a session key; perhaps even private DH keys to session keys; passwords to key conversion via slow, costly function; -- perhaps also even key wrap as in S/MIME, nonce generation, and even ephemeral secret key generation. These seem to be covered by various other specs, so ought not to be included in 4086. Again, 4086bis ought best to focus of key generation (below). Key generation. / Yes. With no pre-existing short key, this is a task that actually requires some genuine secret entropy gathering, and perhaps a persistent state (whereas the streams and derivations are stateless functions). The output here could be quite short, since streaming and derivation can easily generate more keys. I think it would be good for 4086bis to focus more on this task. The term "generation" is a little awkward, because it is does not distinguish itself well from key derivation. Note that key derivation and key streaming already rely on good key generation, so key generation is unavoidable, and fundamental. /// The approach above is task-oriented. An opposite approach would be tool-oriented: describe RNGs as a general purpose tool, and how to build them well and so on, and try to target every possible security goal. That approach may have poorly defined (or at least poorly prioritized) set of requirements, but may also have more realistic implementability. Perhaps both approaches should be pursued, but I'd hope for at least a clearly defined set of task-oriented requirements that is especially careful about key generation. An approach similar to the tool-oriented approach is an attack-oriented approach, which has been started already in a different thread here, by Nick M. Best regards, Daniel Brown Research In Motion Limited