deriving keying material from the shared secret
Steve Bellovin <smb@research.att.com> Mon, 01 July 1996 02:13 UTC
Received: from ietf.cnri.reston.va.us by IETF.CNRI.Reston.VA.US id aa12400; 30 Jun 96 22:13 EDT
Received: from CNRI.Reston.VA.US by IETF.CNRI.Reston.VA.US id aa12396; 30 Jun 96 22:13 EDT
Received: from neptune.tis.com by CNRI.Reston.VA.US id aa16408; 30 Jun 96 22:13 EDT
Received: from neptune.tis.com by neptune.TIS.COM id aa14005; 30 Jun 96 21:56 EDT
Received: from relay.tis.com by neptune.TIS.COM id aa13991; 30 Jun 96 21:50 EDT
Received: by relay.tis.com; id VAA27923; Sun, 30 Jun 1996 21:52:07 -0400
Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (V3.1.1) id xma027921; Sun, 30 Jun 96 21:51:38 -0400
Received: from relay.tis.com by tis.com (4.1/SUN-5.64) id AA01089; Sun, 30 Jun 96 21:51:40 EDT
Received: by relay.tis.com; id VAA27918; Sun, 30 Jun 1996 21:51:37 -0400
Received: from ns.research.att.com(192.20.225.4) by relay.tis.com via smap (V3.1.1) id xma027916; Sun, 30 Jun 96 21:51:22 -0400
Received: from research.research.att.com by ns; Sun Jun 30 21:52:07 EDT 1996
Received: from smb.research.att.com by research; Sun Jun 30 21:48:14 EDT 1996
Received: from smb.research.att.com (smb@localhost) by smb.research.att.com (8.6.12/8.6.10) with ESMTP id TAA00201 for <ipsec@tis.com>; Sun, 30 Jun 1996 19:20:07 -0400
Message-Id: <199606302320.TAA00201@smb.research.att.com>
X-Authentication-Warning: smb.research.att.com: smb owned process doing -bs
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Steve Bellovin <smb@research.att.com>
MMDF-Warning: Unable to confirm address in preceding line at neptune.TIS.COM
To: ipsec@tis.com
Subject: deriving keying material from the shared secret
Date: Sun, 30 Jun 1996 19:18:51 -0400
X-Orig-Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
The particular secrecy and authentication transforms we are considering need varying amounts of keying material. For example, the current ESP draft (draft-ietf-ipsec-esp-des-md5-02.txt) uses two 56-bit DES keys (though it extracts 64-bit chunks), a single 64-bit IV (why one instead of two?), and a 128-bit HMAC key. A mechanism for deriving these keys from the shared secret is given in the text; it involves a 512-bit pad field whose contents varies, and MD5. By contrast, the current MD5-HMAC draft (draft-ietf-ipsec-ah-hmac-md5-00.txt) uses a variable-length key apparently taken directly from the shared secret, crunching it through MD5 if needed to reduce it to 64 bytes if needed. I suggest that we have one standard method of extracting keys from the shared secret, probably spelled out in a separate RFC. It is important, in my opinion, to make it extremely difficult to derive one key given one of the others derived from the same shared secret. For example, suppose one can determine the IV used for the ESP transform as defined; we don't want to make it easy to determine the session keys from the IV. The derivation mechanism used in the ESP draft is probably wrong, since it uses MD5 run on the concatenation of a constant string (which differs for each key) and the shared secret. Since the constant string is 64 bytes long, the natural input block length of MD5, when the secret is crunched in it is equivalent to running MD5' on just the secret, where MD5 differs from MD5 only in the starting values of the state registers A, B, C, D. If the shared secret is, say, 155 bits (and I think that that will be common, if elliptic curves are used and if I'm reading the Oakley spec correctly), then the attacker need only go after one of the simpler cases for attacking MD5. (A forthcoming draft paper will show why it may be relatively easier to get the key for one direction than for the other. And given the key, the IV is trivial to recover.) Possibly, we should run HMAC on the padding string, using the shared secret as the key. At the least, I suggest that MD5(key,constantstring) would be more secure. Comments?
- deriving keying material from the shared secret Steve Bellovin
- Re: deriving keying material from the shared secr… pau
- Re: deriving keying material from the shared secr… Hilarie Orman
- Re: deriving keying material from the shared secr… Uri Blumenthal
- Re: deriving keying material from the shared secr… Bill Sommerfeld
- Re: deriving keying material from the shared secr… Phil Karn
- Re: deriving keying material from the shared secr… Uri Blumenthal