deriving keying material from the shared secret

Steve Bellovin <smb@research.att.com> Mon, 01 July 1996 02:13 UTC

Received: from ietf.cnri.reston.va.us by IETF.CNRI.Reston.VA.US id aa12400; 30 Jun 96 22:13 EDT
Received: from CNRI.Reston.VA.US by IETF.CNRI.Reston.VA.US id aa12396; 30 Jun 96 22:13 EDT
Received: from neptune.tis.com by CNRI.Reston.VA.US id aa16408; 30 Jun 96 22:13 EDT
Received: from neptune.tis.com by neptune.TIS.COM id aa14005; 30 Jun 96 21:56 EDT
Received: from relay.tis.com by neptune.TIS.COM id aa13991; 30 Jun 96 21:50 EDT
Received: by relay.tis.com; id VAA27923; Sun, 30 Jun 1996 21:52:07 -0400
Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (V3.1.1) id xma027921; Sun, 30 Jun 96 21:51:38 -0400
Received: from relay.tis.com by tis.com (4.1/SUN-5.64) id AA01089; Sun, 30 Jun 96 21:51:40 EDT
Received: by relay.tis.com; id VAA27918; Sun, 30 Jun 1996 21:51:37 -0400
Received: from ns.research.att.com(192.20.225.4) by relay.tis.com via smap (V3.1.1) id xma027916; Sun, 30 Jun 96 21:51:22 -0400
Received: from research.research.att.com by ns; Sun Jun 30 21:52:07 EDT 1996
Received: from smb.research.att.com by research; Sun Jun 30 21:48:14 EDT 1996
Received: from smb.research.att.com (smb@localhost) by smb.research.att.com (8.6.12/8.6.10) with ESMTP id TAA00201 for <ipsec@tis.com>; Sun, 30 Jun 1996 19:20:07 -0400
Message-Id: <199606302320.TAA00201@smb.research.att.com>
X-Authentication-Warning: smb.research.att.com: smb owned process doing -bs
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Steve Bellovin <smb@research.att.com>
MMDF-Warning: Unable to confirm address in preceding line at neptune.TIS.COM
To: ipsec@tis.com
Subject: deriving keying material from the shared secret
Date: Sun, 30 Jun 1996 19:18:51 -0400
X-Orig-Sender: ipsec-approval@neptune.tis.com
Precedence: bulk

The particular secrecy and authentication transforms we are considering
need varying amounts of keying material.  For example, the current ESP
draft (draft-ietf-ipsec-esp-des-md5-02.txt) uses two 56-bit DES keys
(though it extracts 64-bit chunks), a single 64-bit IV (why one instead
of two?), and a 128-bit HMAC key.  A mechanism for deriving these keys
from the shared secret is given in the text; it involves a 512-bit
pad field whose contents varies, and MD5.

By contrast, the current MD5-HMAC draft (draft-ietf-ipsec-ah-hmac-md5-00.txt)
uses a variable-length key apparently taken directly from the shared
secret, crunching it through MD5 if needed to reduce it to 64 bytes if
needed.

I suggest that we have one standard method of extracting keys from
the shared secret, probably spelled out in a separate RFC.  It is
important, in my opinion, to make it extremely difficult to derive
one key given one of the others derived from the same shared secret.
For example, suppose one can determine the IV used for the ESP
transform as defined; we don't want to make it easy to determine
the session keys from the IV.

The derivation mechanism used in the ESP draft is probably wrong, since
it uses MD5 run on the concatenation of a constant string (which differs
for each key) and the shared secret.  Since the constant string is
64 bytes long, the natural input block length of MD5, when the secret
is crunched in it is equivalent to running MD5' on just the secret,
where MD5 differs from MD5 only in the starting values of the state
registers A, B, C, D.  If the shared secret is, say, 155 bits (and I
think that that will be common, if elliptic curves are used and if I'm
reading the Oakley spec correctly), then the attacker need only go after
one of the simpler cases for attacking MD5.  (A forthcoming draft paper
will show why it may be relatively easier to get the key for one direction
than for the other.  And given the key, the IV is trivial to recover.)

Possibly, we should run HMAC on the padding string, using the shared
secret as the key.  At the least, I suggest that MD5(key,constantstring)
would be more secure.

Comments?