independence of keying material for multiple transforms
Greg Troxel <gdt@bbn.com> Tue, 29 October 1996 18:52 UTC
Received: from cnri by ietf.org id aa01043; 29 Oct 96 13:52 EST
Received: from neptune.hq.tis.com by CNRI.Reston.VA.US id aa16205; 29 Oct 96 13:52 EST
Received: from neptune.tis.com by neptune.TIS.COM id aa15215; 29 Oct 96 12:50 EST
Received: from relay.hq.tis.com by neptune.TIS.COM id aa15078; 29 Oct 96 12:37 EST
Received: by relay.hq.tis.com; id MAA04339; Tue, 29 Oct 1996 12:42:22 -0500
Received: from clipper.hq.tis.com(10.33.1.2) by relay.tis.com via smap (V3.1.1) id xma004327; Tue, 29 Oct 96 12:41:55 -0500
Received: from relay.hq.tis.com (firewall-user@relay.hq.tis.com [10.33.1.1]) by clipper.hq.tis.com (8.7.5/8.7.3) with SMTP id MAA19054 for <ipsec@tis.com>; Tue, 29 Oct 1996 12:43:45 -0500 (EST)
Received: by relay.hq.tis.com; id MAA04322; Tue, 29 Oct 1996 12:41:52 -0500
Received: from aardvark.bbn.com(128.89.1.203) by relay.tis.com via smap (V3.1.1) id xma004317; Tue, 29 Oct 96 12:41:27 -0500
Received: (gdt@localhost) by aardvark.bbn.com (8.6.10/8.6.5) id MAA12547; Tue, 29 Oct 1996 12:43:17 -0500
Date: Tue, 29 Oct 1996 12:43:17 -0500
Message-Id: <199610291743.MAA12547@aardvark.bbn.com>
From: Greg Troxel <gdt@bbn.com>
To: ipsec@tis.com
Subject: independence of keying material for multiple transforms
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
I've only been dimly following IPSEC for a while, and am trying to pay
attention more. Thus this comment is from someone less familiar with
the documents; I hope this perspective is useful in that it might
cause an unwritten shared assumption to be written down clearly.
I'd like to concur with the notion expressed in a recent message that
documents explicitly make the point that when raw keying material is
used to generate blobs that whatever entropy was 'used' to generate
this not be reused when generating another blob. Or perhaps, that it
should be computationally infeasible to determine information about
any bit in blob A given the entire contents of blobs B,C,D.
This may seem obvious, and I get the impression that most/all people
are thinking this, but it wasn't said explicitly in Ran's phrasing.
I'm not comfortably sure that all readers would get this nuance,
particularly if they aren't aspiring Real Cryptographers.
Greg Troxel <gdt@bbn.com> +1 617 873 2494
- independence of keying material for multiple tran… Greg Troxel
- Re: independence of keying material for multiple … Uri Blumenthal