[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)

To: cfrg at ietf.org
Subject: Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
From: John Wilkinson <wilkjohn at gmail.com>
Date: Sun, 30 Oct 2005 07:21:26 -0500
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:mime-version:in-reply-to:references:content-type:message-id:content-transfer-encoding:from:subject:date:to:x-mailer; b=a6wgZm2hsPf2DIHZ5GKxS0eR2AKTmdWrbRwZjTXg6stolXlyj3TzAP8t/WcKp8Ue6VglG4KPYjauexY1e8cvqYqxrUMP34g846pQkUIkLXqyRwH8ayt+xDgfrzHveCv6yrBJskuR0/01C7Qqc1eVy2olAvK2lgYEqEqpc57eQa8=
In-reply-to: <200510300542.j9U5gbRn023523@taverner.CS.Berkeley.EDU>
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
References: <200510300542.j9U5gbRn023523@taverner.CS.Berkeley.EDU>
Sender: cfrg-bounces at ietf.org

On Oct 30, 2005, at 1:42 AM, David Wagner wrote:

I think the NIST KDF is sub-optimal, and could be improved.

I have never implemented a KDF similar to NIST's proposal; I have always used (without really thinking about why) a "pre-hash" of the shared secret value H(SV) as the key input to a PRF.

Since I tend to be conservative, I would probably be more inclined to use the HKDF proposal if it were like the (already suggested) construction:

H_i = HMAC( H(SV), i || contextID )

I thought that some were objecting to this construction on implementation difficulty or efficiency grounds, and since I couldn't really see anything quantifiably *wrong* with the NIST proposal, I suggested leaving the NIST proposal as is. If, however, everyone is happy with the above "pre-hash and HMAC" construction, it would certainly get my vote.

-John


_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

References:
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
  - From: David Wagner

Prev by Date: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
Next by Date: Re: [saag] Re: [Cfrg] KDF: Randomness extraction vs. key expansion
Previous by thread: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
Next by thread: Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
Index(es):
- Date
- Thread