[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Cfrg] existing KDFs and their uses

To: Peter Gutmann <pgut001 at cs.auckland.ac.nz>, Dan Brown <dbrown at certicom.com>, David Jacobson <dmjacobson at sbcglobal.net>
Subject: [Cfrg] existing KDFs and their uses
From: David McGrew <mcgrew at cisco.com>
Date: Wed, 21 Oct 2009 08:29:06 -0700
Authentication-results: sj-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none
Cc: "Pasi.Eronen at nokia.com Eronen" <Pasi.Eronen at nokia.com>, cfrg at irtf.org, Hugo Krawczyk <hugo at ee.technion.ac.il>
Delivered-to: cfrg at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=mcgrew at cisco.com; l=7136; q=dns/txt; s=sjiport01001; t=1256138950; x=1257348550; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20David=20McGrew=20<mcgrew at cisco.com>|Subject:=20e xisting=20KDFs=20and=20their=20uses|Date:=20Wed,=2021=20O ct=202009=2008:29:06=20-0700|Message-Id:=20<89F9203E-440C -44A8-BA5D-31A1C4A6453D at cisco.com>|To:=20Peter=20Gutmann =20<pgut001 at cs.auckland.ac.nz>,=20Dan=20Brown=20<dbrown at c erticom.com>,=0D=0A=20=20=20=20=20=20=20=20David=20Jacobs on=20<dmjacobson at sbcglobal.net>|Cc:=20cfrg at irtf.org,=20Hu go=20Krawczyk=20<hugo at ee.technion.ac.il>,=0D=0A=20=20=20 =20=20=20=20=20"Pasi.Eronen at nokia.com=20Eronen"=20<Pasi.E ronen at nokia.com>|Mime-Version:=201.0=20(Apple=20Message =20framework=20v936)|In-Reply-To:=20<E1N0PO7-0001YN-HW at wi ntermute01.cs.auckland.ac.nz>|References:=20<E1N0PO7-0001 YN-HW at wintermute01.cs.auckland.ac.nz>; bh=rOiy+hEzDZOLH4PqSZO71ploEmVo8g3jpb4lgF5Ajbk=; b=DmJQqq7t6xVMy5RT6oYKsR8oyF8+Ihy979QS5wBq832HS7FrHTIEgLoY WvyijCAtBpj8PuaNbsR3E8aKq3WttWajYckr8UYoo/nM37gsMwmJWELNz exbTGjmzbb+W3dMvXHwDW2QWWbXTDXnJndM9wu3IBp01pLPP5Uk7ucQ4J M=;
In-reply-to: <E1N0PO7-0001YN-HW at wintermute01.cs.auckland.ac.nz>
List-archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-help: <mailto:cfrg-request@irtf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.irtf.org>
List-post: <mailto:cfrg@irtf.org>
List-subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
List-unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
References: <E1N0PO7-0001YN-HW at wintermute01.cs.auckland.ac.nz>

Hi Peter, Dan, and David,

"Dan Brown" <dbrown at certicom.com> writes:
2. The menagerie of key derivation functions (i.e. DH-like sharedsecret
value to symmetric key, which unlike key generation are needed for
interoperability) such as IEEE KDF1 and KDF2, ANSI X9.63 X9.42,NIST SP
800-56A, TLS-PRF, and IKE, and now HKDF,


Peter Gutmann wrote:

You missed out the SSH one, and what S/MIME uses for its DH keying,and thereare probably several others as well used in lesser-known protocols.In factevery protocol that I know of has invented its own KDF, incompatiblewithevery other KDF out there, thus my question about why we need yetanother one.


David Jacobson wrote:

NIST SP 800-90, which is actually about random number generation,specifies two extractors, which it calls Derivation Functions, inSection 10.4.1 and 10.4.2. These are hash based and block cipherbased, respectively. Both can deal with generating internal keymaterial wider than a single block. (I write "internal keymaterial" because the data so generated is used to as input to theexpansion function.)

good points, and it looks like underestimated the number of KDFs usedto extract keys from DH in my note yesterday. It would be valuableto list and categorize all of these functions and their uses, tobetter understand the situation. Collecting text from all of ouremails, here is a start:

Uses:

1. Generate one key from another. In this case, no extraction stageis needed.2. Generate a key from a DH shared secret. In this case,computational extraction seems to be needed, because statisticalextraction would be inefficient.

3. Generate key material from a non-uniform random source. In thiscase, either statistical or computational extraction could be used.


  4. Generate a key from a passphrase.

KDFs:

P_SHA256 from Section 5 of RFC 5246, The Transport Layer Security(TLS) Protocol, Version 1.2. (HMAC in an OFB mode variant) Uses #1and #2.P_MD5 XOR P_SHA1 from Section 5 of RFC 4346, The Transport LayerSecurity (TLS) Protocol Version 1.1. (HMAC in an OFB mode variant,XORed with MD5 in the same mode.) Uses #1 and #2.AES-CMAC-PRF-128 from RFC 4615, The Advanced Encryption Standard-Cipher-based Message Authentication Code-Pseudo-Random Function-128(AES-CMAC-PRF-128) Algorithm for the Internet Key Exchange Protocol(IKE). Uses #1 and #2.

PRF+ from Section 2.13 of RFC 4306, IKEv2. (HMAC in counter mode.)Uses #1 and #2.

SSH-KDF, Section 7.2 of RFC4253, The Secure Shell (SSH) TransportLayer Protocol. (Hash function in counter mode.) Uses #1 and #2.

AES-CM-PRF, Section 4.3.3 of RFC3711, The Secure Real-time TransportProtocol.

S/MIME DH KDF. Section 2.1.2 of RFC 2631. (Hash function.) (Is thisreally the most up-to-date reference for SMIME DH?) Uses #1 and #2.Krb5-KDF from RFC 4402 A Pseudo-Random Function (PRF) for the KerberosV Generic Security Service Application Program Interface (GSS-API)Mechanism. (Hash function in counter mode.) Use #1.

PBKDF1 (Hash function in OFB mode.) PBKDF2 (HMAC iterated, with all ofthe iterates XORed together.) from RFC2898, PKCS #5: Password-BasedCryptography Specification Version 2.0. Use #4.


IEEE KDF1 (Hash function.)   Uses #1 and #2.

IEEE KDF2 (Hash function in counter mode.)   Uses #1 and #2.

ANSI X9.42 (Hash function.)   Uses #1 and #2.

ANSI X9.63 (Hash function in counter mode.)   Uses #1 and #2.

NIST SP 800-56A Concatenation-KDF and ASN.1-KDF (Hash function incounter mode.) Uses #1 and #2.

NIST SP 800-90, Section 10.4 defines two extractors (hash function incounter mode, and a block cipher mode) and Sections 10.1, 10.2, and10.3 define some "expanders". Use #3.

Additions and corrections are welcome. Also, pointers to securityanalyses would be good to have, wherever they exist.For each of these functions, it would be good to know a) under whatconditions is it secure (e.g. what has to be assumed of the hashfunction) b) where and how is it used, c) does the protocol using itadmit the replacement of its KDF, and if so, d) what is its interface(does it take a "salt" input, for example).

David

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Prev by Date: Re: [Cfrg] comments and questions on draft-krawczyk-hkdf and related work
Next by Date: Re: [Cfrg] existing KDFs and their uses
Previous by thread: [Cfrg] comments and questions on draft-krawczyk-hkdf and related work
Next by thread: Re: [Cfrg] existing KDFs and their uses
Index(es):
- Date
- Thread