Re: deriving keying material from the shared secret
pau@watson.ibm.com Mon, 01 July 1996 16:03 UTC
Received: from ietf.cnri.reston.va.us by IETF.CNRI.Reston.VA.US id aa12544; 1 Jul 96 12:03 EDT
Received: from CNRI.Reston.VA.US by IETF.CNRI.Reston.VA.US id aa12540; 1 Jul 96 12:03 EDT
Received: from neptune.tis.com by CNRI.Reston.VA.US id aa10545; 1 Jul 96 12:03 EDT
Received: from neptune.tis.com by neptune.TIS.COM id aa23935; 1 Jul 96 11:42 EDT
Received: from relay.tis.com by neptune.TIS.COM id aa23857; 1 Jul 96 11:36 EDT
Received: by relay.tis.com; id LAA06976; Mon, 1 Jul 1996 11:38:04 -0400
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: pau@watson.ibm.com
MMDF-Warning: Parse error in original version of preceding line at neptune.TIS.COM
Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (V3.1.1) id xma006968; Mon, 1 Jul 96 11:37:37 -0400
Received: from relay.tis.com by tis.com (4.1/SUN-5.64) id AA26640; Mon, 1 Jul 96 11:37:38 EDT
Received: by relay.tis.com; id LAA06965; Mon, 1 Jul 1996 11:37:34 -0400
Received: from igw2.watson.ibm.com(129.34.139.6) by relay.tis.com via smap (V3.1.1) id xma006958; Mon, 1 Jul 96 11:37:06 -0400
Received: from mailhub1.watson.ibm.com (mailhub1.watson.ibm.com [9.2.249.31]) by igw2.watson.ibm.com (8.7.4/8.7.1) with ESMTP id LAA18984; Mon, 1 Jul 1996 11:40:11 -0400
Received: from secpwr.watson.ibm.com (secpwr.watson.ibm.com [9.2.24.17]) by mailhub1.watson.ibm.com (8.7.1/03-28-96) with SMTP id LAA21534; Mon, 1 Jul 1996 11:39:34 -0400
Received: by secpwr.watson.ibm.com (AIX 4.1/UCB 5.64/4.03) id AA21226; Mon, 1 Jul 1996 11:45:26 -0400
Date: Mon, 01 Jul 1996 11:45:26 -0400
Message-Id: <9607011545.AA21226@secpwr.watson.ibm.com>
To: ipsec@tis.com, smb@research.att.com
MMDF-Warning: Unable to confirm address in preceding line at neptune.TIS.COM
MMDF-Warning: Unable to confirm address in preceding line at neptune.TIS.COM
MMDF-Warning: Unable to confirm address in preceding line at neptune.TIS.COM
Subject: Re: deriving keying material from the shared secret
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Content-Md5: kflqhCoLK1Y7wfGJhmDu1w==
X-Orig-Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
Yes, this is a good idea. I don't know, however, if we should specify a generic algorithm for all crypto algorithms; or each crypto (e.g., DES, HAMC-MD5, etc.) should specify its own transformation to transfer a n-bit keying material to a m-bit key ? Where n could be either greater than, equal to, or less than m. The advantage of per-algorithm transformation is that some algorithm may have special considerations. For example, DES may require special processing if the result of the transformation is a DES weak key (as suggested bt teh isakmp-oakley draft). Regards, Pau-Chen > From ipsec-request@neptune.tis.com Mon Jul 1 10:49:46 1996 > Message-Id: <199606302320.TAA00201@smb.research.att.com> > X-Authentication-Warning: smb.research.att.com: smb owned process doing -bs > From: Steve Bellovin <smb@research.att.com> > Mmdf-Warning: Unable to confirm address in preceding line at neptune.TIS.COM > To: ipsec@TIS.COM > Subject: deriving keying material from the shared secret > Date: Sun, 30 Jun 1996 19:18:51 -0400 > Sender: ipsec-approval@neptune.tis.com > Precedence: bulk > Content-Length: 2145 > Status: RO > > The particular secrecy and authentication transforms we are considering > need varying amounts of keying material. For example, the current ESP > draft (draft-ietf-ipsec-esp-des-md5-02.txt) uses two 56-bit DES keys > (though it extracts 64-bit chunks), a single 64-bit IV (why one instead > of two?), and a 128-bit HMAC key. A mechanism for deriving these keys > from the shared secret is given in the text; it involves a 512-bit > pad field whose contents varies, and MD5. > > By contrast, the current MD5-HMAC draft (draft-ietf-ipsec-ah-hmac-md5-00.txt) > uses a variable-length key apparently taken directly from the shared > secret, crunching it through MD5 if needed to reduce it to 64 bytes if > needed. > > I suggest that we have one standard method of extracting keys from > the shared secret, probably spelled out in a separate RFC. It is > important, in my opinion, to make it extremely difficult to derive > one key given one of the others derived from the same shared secret. > For example, suppose one can determine the IV used for the ESP > transform as defined; we don't want to make it easy to determine > the session keys from the IV. > > The derivation mechanism used in the ESP draft is probably wrong, since > it uses MD5 run on the concatenation of a constant string (which differs > for each key) and the shared secret. Since the constant string is > 64 bytes long, the natural input block length of MD5, when the secret > is crunched in it is equivalent to running MD5' on just the secret, > where MD5 differs from MD5 only in the starting values of the state > registers A, B, C, D. If the shared secret is, say, 155 bits (and I > think that that will be common, if elliptic curves are used and if I'm > reading the Oakley spec correctly), then the attacker need only go after > one of the simpler cases for attacking MD5. (A forthcoming draft paper > will show why it may be relatively easier to get the key for one direction > than for the other. And given the key, the IV is trivial to recover.) > > Possibly, we should run HMAC on the padding string, using the shared > secret as the key. At the least, I suggest that MD5(key,constantstring) > would be more secure. > > Comments?
- deriving keying material from the shared secret Steve Bellovin
- Re: deriving keying material from the shared secr… pau
- Re: deriving keying material from the shared secr… Hilarie Orman
- Re: deriving keying material from the shared secr… Uri Blumenthal
- Re: deriving keying material from the shared secr… Bill Sommerfeld
- Re: deriving keying material from the shared secr… Phil Karn
- Re: deriving keying material from the shared secr… Uri Blumenthal