[Cfrg] KDF: Randomness extraction vs. key expansion

[David Wagner <daw at cs.berkeley.edu>]

Ran Canetti
>David Wagner writes:
>> But does it really work?  Can we safely use the nonces "as-is"?
>> What's got me worried is that one of the nonces could have been chosen
>> by an attacker.  See my previous email for some example scenarios where
>
>I'm talking about key exchange protocols where the nonces are
>authenticated (mac'ed) as part of the exchange (eg, IKE).
>In such protocols we know that the nocnes came from the real participants,
>and since we only care about the goodness of the key in case that the
>participants are following their protocol, we can assume they are random
>(in case, ofcourse, that the protocol instructs the nonces to be random).

Ahh, now I get it.  I guess you're talking about the case where nonces
are signed or MACed using pre-established static signing or MAC keys (not
ones derived from the same key exchange performed during this session).
So yeah, that makes sense.  Thanks!

This does make deterministic key extraction look more attractive, for
protocols that take this form...  Cute.



P.S. I'm still trying to convince myself that we definitely, absolutely
don't care about the goodness of the key, if one of the participants
is malicious.  That sounds quite plausible, though I haven't got an
airtight argument to myself yet.  Anyway, I'll take that on faith for
now -- I suspect I'm just being slow...

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg