[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] soliciting feedback on HKDF

To: "David McGrew" <mcgrew at cisco.com>
Subject: Re: [Cfrg] soliciting feedback on HKDF
From: "Dan Harkins" <dharkins at lounge.org>
Date: Mon, 19 Oct 2009 16:36:44 -0700 (PDT)
Cc: Tim Polk <tim.polk at nist.gov>, cfrg at irtf.org, Hugo Krawczyk <hugo at ee.technion.ac.il>
Delivered-to: cfrg at core3.amsl.com
Importance: Normal
In-reply-to: <2BDAD1BB-A200-4B35-809A-FC0F0385F9D7 at cisco.com>
List-archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-help: <mailto:cfrg-request@irtf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.irtf.org>
List-post: <mailto:cfrg@irtf.org>
List-subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
List-unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
References: <2BDAD1BB-A200-4B35-809A-FC0F0385F9D7 at cisco.com>
User-agent: SquirrelMail/1.4.14 [SVN]

  Hello,

  A very nice I-D and I think HKDF will be a valuable building
block for protocol designers.

  First a (drawn-out) question:

  The HKDF-extract function uses HMAC-hash, a keyed pseudo-random
function (PRF) that represents a family of mappings, one for each
key, of (a double invocation of) "hash". HKDF uses an optional "salt"
as the key to this PRF. When the salt is not given a number of zeros
equal to the block size of "hash" is used. Also, a given "salt" can
be reused across multiple invocations of HKDF. Which means the PRF is
being reduced to a single mapping from its family of maps. So why use
the PRF construct of HMAC-hash for HKDF-extract()? Unless the "salt"
is mandatory and distinct (and possibly just unpredictable, not
necessarily random) for each invocation of HKDF I don't see the point.

  If there is a benefit to using HMAC-hash with a (possibly) fixed
key over just using "hash", it would be helpful to spell that out
somewhere in the draft. If not, I think it would be simpler to just
use a single function map if that's all that's needed.

  And now a suggestion:

  It would be nice to add to the security considerations a description
of the property that HKDF-extract() has that is useful for concentrating
the entropy of the input key. That would help when people start trying
to instantiate HKDF with different values of "hash". Or, to guide the
hands of people who might not really know what they're doing, consider
creating an IANA registry of specific instantiations of HKDF with
different values of "hash" and specify some kind of "expert review" to
add new values to the registry.

  regards,

  Dan.

On Mon, October 19, 2009 10:45 am, David McGrew wrote:
> Hello,
>
> HMAC-based Extract-and-Expand Key Derivation Function (HKDF),
> http://tools.ietf.org/html/draft-krawczyk-hkdf-00
> , specifies a key derivation function that is intended to be used in a
> wide variety of applications.   This draft provides a detailed
> proposal along the lines of what Hugo presented to the IETF Security
> Area at IETF 74.   If you have an interest in the design and/or use of
> this KDF, please provide your feedback to the CFRG list.
>
> It would be ideal to have feedback by November 8, so that it can be
> considered at the upcoming IETF meeting.  However, comments are
> welcome at any time.
>
> David
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg at irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>

Follow-Ups:
- Re: [Cfrg] soliciting feedback on HKDF
  - From: Zooko Wilcox-O'Hearn

References:
- [Cfrg] soliciting feedback on HKDF
  - From: David McGrew

Prev by Date: Re: [Cfrg] soliciting feedback on HKDF
Next by Date: Re: [Cfrg] soliciting feedback on HKDF
Previous by thread: Re: [Cfrg] soliciting feedback on HKDF
Next by thread: Re: [Cfrg] soliciting feedback on HKDF
Index(es):
- Date
- Thread