[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)

To: cfrg at ietf.org
Subject: Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
From: John Wilkinson <wilkjohn at gmail.com>
Date: Sat, 29 Oct 2005 17:57:55 -0400
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=O1HFcOULwCvwMonXYKrRlfN9R83A8p058E8NxMMBBo2Yft/rbZnjSVsfRKfoSq3PGa3ORAYQqyq41K+YRVZWWy5IO6Du0l5ifYm6Wp7OaiO1GmRxzYfBX0ROjNKg/H7qRtWWszWupBHCaeFvn/ZMcb2jLASLnjMAEt+ZiMxeGzk=
In-reply-to: <200510291850.j9TIo74O010082@taverner.CS.Berkeley.EDU>
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
References: <200510291850.j9TIo74O010082@taverner.CS.Berkeley.EDU>
Sender: cfrg-bounces at ietf.org

Getting back to the original topic of the NIST HKDF proposal, several
people suggested that they were uncomfortable with the construction
H_i = H( i || SV || contextID ), which is the one suggested in the
HKDF proposal, with some optional arguments suppressed.

Most of these same people suggested instead something along the lines
of K_i = PRF( H(SV), i || contextID ), where H(SV) is the key input to
the PRF, and ( i || contextID ) is the "message" input to the PRF.
HMAC and CMAC were both suggested as suitable PRFs.

Neither HMAC, nor CMAC retains any security guarantee as a PRF if the
key is not chosen uniformly at random. If we assume that H(SV) is
uniformly random, given that SV may not be, then we should have no
concern with the NIST HKDF. If are not willing to assume that H(SV) is
uniformly random, then our arguments for the PRF-based construction
must be heuristic, and based on non-standard assumptions about the
PRF. If we assume that SV is uniformly random, then we can skip the
"pre-hashing" step, and use SV directly as the key to the PRF.

While it doesn't strike me as unreasonable to desire some additional
measure of heuristic protection, given all that has happened with our
hash functions of late, let us at least be clear that our arguments
are heuristic, and not based on any proven properties of PRFs under
standard assumptions.

Given that the preference for one KDF over the other is just that, a
preference, I would argue that the NIST HKDF proposal should stand
unmodified. Those who are uncomfortable with it are always free to
choose other KDFs.

-John

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

References:
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
  - From: David Wagner

Prev by Date: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
Next by Date: Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
Previous by thread: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
Next by thread: Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
Index(es):
- Date
- Thread