[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]

To: cfrg at ietf.org
Subject: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
From: David Wagner <daw at cs.berkeley.edu>
Date: Sat, 29 Oct 2005 11:56:48 -0700 (PDT)
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
Reply-to: David Wagner <daw-usenet at taverner.CS.Berkeley.EDU>
Secret-bounce-tag: 9a029cbee41caf2ca77a77efa3c13981
Sender: cfrg-bounces at ietf.org

John Wilkerson writes:
>On Oct 29, 2005, at 12:55 PM, David Wagner wrote:
>> If the protocol calls for Alice to pick the hash H first and publish
>> it, and Mallory later picks the message A, then there is no reason to
>> think that H,A will be independent.  Consequently, for such a  
>> protocol, the Leftover Hash Lemma will not be applicable.
>
>Since the original scenario was DH key exchange, let Alice and Bob be  
>the legitimate parties to the communication, and let A = g^xy, where  
>x and y are uniform random values chosen by Alice and Bob.

I do not concede that x and y are necessarily uniform random values.
What if Alice is malicious?  Then x might be distributed in any way
that Alice wishes.

I do not concede that A will contain only the value g^{xy}.  In fact,
the NIST KDF also includes other non-secret auxiliary values as input
to the KDF.  The context is that we were discussing the idea of using
a 2-universal hash extractor (based on the Leftover Hashing Lemma) as
a replacement for NIST's KDF.  This means that in practice we may wish
the value A to contain other auxiliary values as well: e.g., session
identifiers, the names of the parties, and so on.  If one of the endpoints
is malicious, those auxiliary inputs might be chosen maliciously.

>Let H be  
>chosen in advance by the protocol designer, and made public. How does  
>Mallory, a would-be eavesdropper, influence the selection of x and y  
>so as to choose A dependent on H?

I think the above answers it.  I gave two scenarios where the value A
can be influenced by the attacker.  In particular, the value A need not
be independent of H: since H is chosen and made public in advance, the
attacker can choose her contribution to A after H is known, and her
contribution to A can depend on the value of H.

>If Mallory has this level of influence over Alice and/or Bob, it seems
>that he would have other ways to eavesdrop.

In many cases, we want security even if one of the endpoints is malicious.
Note that until the protocol finishes, we might not know whether the
two parties are actually Alice and Bob, or whether one of the parties
is someone else pretending to be Alice or Bob.

For instance, in a mutual authentication protocol, Mallory (playing the
role of Alice) should not be able to interact with Bob and trick Bob
into thinking that he is talking to Alice.  And you will see that this
is one example where Mallory can influence the value of A.

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

Prev by Date: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
Next by Date: Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
Previous by thread: Re: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
Next by thread: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
Index(es):
- Date
- Thread