IETF Logo Mail Archive

Re: [Cfrg] soliciting feedback on HKDF

Zooko Wilcox-O'Hearn <zooko@zooko.com> Tue, 20 October 2009 03:36 UTC

Return-Path: <zooko@zooko.com>
X-Original-To: cfrg@core3.amsl.com
Delivered-To: cfrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E6F5B3A6765 for <cfrg@core3.amsl.com>; Mon, 19 Oct 2009 20:36:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.855
X-Spam-Level:
X-Spam-Status: No, score=-1.855 tagged_above=-999 required=5 tests=[AWL=0.745, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MoIvhIsdc35Q for <cfrg@core3.amsl.com>; Mon, 19 Oct 2009 20:36:22 -0700 (PDT)
Received: from nooxie.zooko.com (nooxie.zooko.com [207.7.145.200]) by core3.amsl.com (Postfix) with ESMTP id 40BA93A67E2 for <cfrg@irtf.org>; Mon, 19 Oct 2009 20:36:21 -0700 (PDT)
Received: from [192.168.1.118] (97-118-105-53.hlrn.qwest.net [97.118.105.53]) by nooxie.zooko.com (Postfix) with ESMTP id 8BBDF186E2; Mon, 19 Oct 2009 20:41:14 -0700 (PDT)
In-Reply-To: <d73220f6996fcacb990df658e5f2f603.squirrel@www.trepanning.net>
References: <2BDAD1BB-A200-4B35-809A-FC0F0385F9D7@cisco.com> <d73220f6996fcacb990df658e5f2f603.squirrel@www.trepanning.net>
Mime-Version: 1.0 (Apple Message framework v753.1)
X-Priority: 3 (Normal)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <F9E8C515-07F7-4DFE-8E9A-CE3F69699657@zooko.com>
Content-Transfer-Encoding: 7bit
From: Zooko Wilcox-O'Hearn <zooko@zooko.com>
Date: Mon, 19 Oct 2009 21:36:24 -0600
To: Dan Harkins <dharkins@lounge.org>
X-Mailer: Apple Mail (2.753.1)
Cc: Tim Polk <tim.polk@nist.gov>, David McGrew <mcgrew@cisco.com>, cfrg@irtf.org, Hugo Krawczyk <hugo@ee.technion.ac.il>
Subject: Re: [Cfrg] soliciting feedback on HKDF
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Oct 2009 03:36:23 -0000

On Monday,2009-10-19, at 17:36 , Dan Harkins wrote:

>   A very nice I-D and I think HKDF will be a valuable building  
> block for protocol designers.

I would like to echo this sentiment: in attempting to stringently  
evaluate "Everything that could possibly go wrong" with Tahoe-LAFS's  
crypto design [1], I keep thinking that the KDF is a linchpin  
component in several places.  (The recent revelation of related-key  
issues in AES-256 is one of the reasons to think this.)  Thank you  
for working on the design and standardization of HKDF!

For what it is worth -- I really don't want to start an argument  
about this somewhat tangential issue -- I don't like HMAC-SHA256  
nearly as well as I like Poly1305-AES or Poly1305-Salsa20.  This is  
an unfortunate period in cryptography when there isn't a really good  
secure hash function that we can rely on, and the strong security  
proofs and superior performance of the Carter-Wegman MACs like  
Poly1305 look better to me than the security proofs of HMAC.

Regards,

Zooko Wilcox-O'Hearn

[1] http://allmydata.org/trac/tahoe/wiki/NewCaps/WhatCouldGoWrong

v2.23.0 | Report a Bug | By Email