Re: deriving keying material from the shared secret

pau@watson.ibm.com Mon, 01 July 1996 16:03 UTC

Received: from ietf.cnri.reston.va.us by IETF.CNRI.Reston.VA.US id aa12544; 1 Jul 96 12:03 EDT
Received: from CNRI.Reston.VA.US by IETF.CNRI.Reston.VA.US id aa12540; 1 Jul 96 12:03 EDT
Received: from neptune.tis.com by CNRI.Reston.VA.US id aa10545; 1 Jul 96 12:03 EDT
Received: from neptune.tis.com by neptune.TIS.COM id aa23935; 1 Jul 96 11:42 EDT
Received: from relay.tis.com by neptune.TIS.COM id aa23857; 1 Jul 96 11:36 EDT
Received: by relay.tis.com; id LAA06976; Mon, 1 Jul 1996 11:38:04 -0400
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: pau@watson.ibm.com
MMDF-Warning: Parse error in original version of preceding line at neptune.TIS.COM
Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (V3.1.1) id xma006968; Mon, 1 Jul 96 11:37:37 -0400
Received: from relay.tis.com by tis.com (4.1/SUN-5.64) id AA26640; Mon, 1 Jul 96 11:37:38 EDT
Received: by relay.tis.com; id LAA06965; Mon, 1 Jul 1996 11:37:34 -0400
Received: from igw2.watson.ibm.com(129.34.139.6) by relay.tis.com via smap (V3.1.1) id xma006958; Mon, 1 Jul 96 11:37:06 -0400
Received: from mailhub1.watson.ibm.com (mailhub1.watson.ibm.com [9.2.249.31]) by igw2.watson.ibm.com (8.7.4/8.7.1) with ESMTP id LAA18984; Mon, 1 Jul 1996 11:40:11 -0400
Received: from secpwr.watson.ibm.com (secpwr.watson.ibm.com [9.2.24.17]) by mailhub1.watson.ibm.com (8.7.1/03-28-96) with SMTP id LAA21534; Mon, 1 Jul 1996 11:39:34 -0400
Received: by secpwr.watson.ibm.com (AIX 4.1/UCB 5.64/4.03) id AA21226; Mon, 1 Jul 1996 11:45:26 -0400
Date: Mon, 01 Jul 1996 11:45:26 -0400
Message-Id: <9607011545.AA21226@secpwr.watson.ibm.com>
To: ipsec@tis.com, smb@research.att.com
MMDF-Warning: Unable to confirm address in preceding line at neptune.TIS.COM
MMDF-Warning: Unable to confirm address in preceding line at neptune.TIS.COM
MMDF-Warning: Unable to confirm address in preceding line at neptune.TIS.COM
Subject: Re: deriving keying material from the shared secret
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Content-Md5: kflqhCoLK1Y7wfGJhmDu1w==
X-Orig-Sender: ipsec-approval@neptune.tis.com
Precedence: bulk

Yes, this is a good idea. I don't know, however, if we should specify
a generic algorithm for all crypto algorithms; or each crypto
(e.g., DES, HAMC-MD5, etc.) should specify its own transformation
to transfer a n-bit keying material to a m-bit key ? Where n could be
either greater than, equal to, or less than m.

The advantage of per-algorithm transformation is that some algorithm
may have special considerations. For example, DES may require special
processing if the result of the transformation is a DES weak key
(as suggested bt teh isakmp-oakley draft).


Regards, Pau-Chen

> From ipsec-request@neptune.tis.com Mon Jul  1 10:49:46 1996
> Message-Id: <199606302320.TAA00201@smb.research.att.com>
> X-Authentication-Warning: smb.research.att.com: smb owned process doing -bs
> From: Steve Bellovin <smb@research.att.com>
> Mmdf-Warning: Unable to confirm address in preceding line at neptune.TIS.COM
> To: ipsec@TIS.COM
> Subject: deriving keying material from the shared secret
> Date: Sun, 30 Jun 1996 19:18:51 -0400
> Sender: ipsec-approval@neptune.tis.com
> Precedence: bulk
> Content-Length: 2145
> Status: RO
> 
> The particular secrecy and authentication transforms we are considering
> need varying amounts of keying material.  For example, the current ESP
> draft (draft-ietf-ipsec-esp-des-md5-02.txt) uses two 56-bit DES keys
> (though it extracts 64-bit chunks), a single 64-bit IV (why one instead
> of two?), and a 128-bit HMAC key.  A mechanism for deriving these keys
> from the shared secret is given in the text; it involves a 512-bit
> pad field whose contents varies, and MD5.
> 
> By contrast, the current MD5-HMAC draft (draft-ietf-ipsec-ah-hmac-md5-00.txt)
> uses a variable-length key apparently taken directly from the shared
> secret, crunching it through MD5 if needed to reduce it to 64 bytes if
> needed.
> 
> I suggest that we have one standard method of extracting keys from
> the shared secret, probably spelled out in a separate RFC.  It is
> important, in my opinion, to make it extremely difficult to derive
> one key given one of the others derived from the same shared secret.
> For example, suppose one can determine the IV used for the ESP
> transform as defined; we don't want to make it easy to determine
> the session keys from the IV.
> 
> The derivation mechanism used in the ESP draft is probably wrong, since
> it uses MD5 run on the concatenation of a constant string (which differs
> for each key) and the shared secret.  Since the constant string is
> 64 bytes long, the natural input block length of MD5, when the secret
> is crunched in it is equivalent to running MD5' on just the secret,
> where MD5 differs from MD5 only in the starting values of the state
> registers A, B, C, D.  If the shared secret is, say, 155 bits (and I
> think that that will be common, if elliptic curves are used and if I'm
> reading the Oakley spec correctly), then the attacker need only go after
> one of the simpler cases for attacking MD5.  (A forthcoming draft paper
> will show why it may be relatively easier to get the key for one direction
> than for the other.  And given the key, the IV is trivial to recover.)
> 
> Possibly, we should run HMAC on the padding string, using the shared
> secret as the key.  At the least, I suggest that MD5(key,constantstring)
> would be more secure.
> 
> Comments?