[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] existing KDFs and their uses

To: Peter Gutmann <pgut001 at cs.auckland.ac.nz>
Subject: Re: [Cfrg] existing KDFs and their uses
From: David McGrew <mcgrew at cisco.com>
Date: Thu, 22 Oct 2009 13:54:55 -0700
Authentication-results: rtp-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none
Cc: cfrg at irtf.org
Delivered-to: cfrg at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=mcgrew at cisco.com; l=5122; q=dns/txt; s=rtpiport01001; t=1256244900; x=1257454500; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20David=20McGrew=20<mcgrew at cisco.com>|Subject:=20R e:=20[Cfrg]=20existing=20KDFs=20and=20their=20uses|Date: =20Thu,=2022=20Oct=202009=2013:54:55=20-0700|Message-Id: =20<3AB03D25-328B-4595-855C-A75B92C89295 at cisco.com>|To: =20Peter=20Gutmann=20<pgut001 at cs.auckland.ac.nz>|Cc:=20cf rg at irtf.org|Mime-Version:=201.0=20(Apple=20Message=20fram ework=20v936)|In-Reply-To:=20<E1N0qZk-0007a6-2O at wintermut e01.cs.auckland.ac.nz>|References:=20<E1N0qZk-0007a6-2O at w intermute01.cs.auckland.ac.nz>; bh=zhhEZTtxbBMQpCnqjBBaMSwfz2eIR04sWHO0+PcYkbE=; b=e/PGscT3kld+REVCDYOMN+L/yPDUXOEnbHspuopZlX3S/cfa+kC7S/w2 RBtTpBMz6xHYX8nPTv889QCRMZzuAY5Lacyyc8RjM4U0uZ6aBrdAHC0mo 6+6PzsPA6FrG+WGak3HsJKFjY2UDopECV6rCnAt131cmGfVpbQHH6+7Qd g=;
In-reply-to: <E1N0qZk-0007a6-2O at wintermute01.cs.auckland.ac.nz>
List-archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-help: <mailto:cfrg-request@irtf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.irtf.org>
List-post: <mailto:cfrg@irtf.org>
List-subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
List-unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
References: <E1N0qZk-0007a6-2O at wintermute01.cs.auckland.ac.nz>

Hi Peter,

On Oct 21, 2009, at 10:51 PM, Peter Gutmann wrote:

David McGrew <mcgrew at cisco.com> writes:
Uses:
There's also a fifth use which I don't think is covered by any ofthe otherfour, generate multiple sets of cryptovariables (keys, IVs, nonceswhatever)from a single block of something-or-other (key + nonce + other oddsand ends),
which is what SSL/TLS and SSH do.

I was counting that as "generating one key from another"; this is theeasy case cryptographically speaking, where we start with a(uniformly) random key.

S/MIME DH KDF. Section 2.1.2 of RFC 2631. (Hash function.) (Isthis really
the most up-to-date reference for SMIME DH?)
Yes. X9.42 was chosen for political reasons over RSA, so the specstipulatedMUST X9.42, MAY RSA. Implementors everywhere interpreted it as MUSTRSA,SHOULD NOT X9.42, and after awhile the spec stopped trying topretend it was a
MUST as well, and then was allowed to fade into obscurity.
PBKDF2 (HMAC iterated, with all of the iterates XORed together.) from
RFC2898, PKCS #5: Password-Based Cryptography Specification Version2.0.
Use #4.
It's really all of them, since an iterated KDF is also a standardKDF when
iterations = 1.

I guess that I should be careful to distinguish between what afunction is designed for and what it is used for. Is PBKDF2 used withanything other than passwords as its "secret" input?

Additions and corrections are welcome.


There's also the PKCS #12 PRF and the OpenPGP PRF.


Ah, I'd forgotten those.

How obscure can the protocols get? There's others I know of inlittle-used orapplication-specific standards that probably don't carry muchweight, does
anyone really care what (say) the CMP PRF looks like?

If it is specified for use on the Internet, and is actually used, it'sworth cataloging.


thanks,

David

Also, pointers to security analyses would be good to have, whereverthey
exist.
Security analyses?  Do we do those?
(The only ones I know of are for PBKDF2 and HKDF, although I haven'tlooked atevery available document on the PRFs. For most that I've seen it'sjust
security by executive fiat).

Peter.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Follow-Ups:
- Re: [Cfrg] existing KDFs and their uses
  - From: Hugo Krawczyk

Prev by Date: Re: [Cfrg] why HKDF? -- Re: existing KDFs and their uses
Next by Date: Re: [Cfrg] existing KDFs and their uses
Previous by thread: Re: [Cfrg] existing KDFs and their uses
Next by thread: Re: [Cfrg] existing KDFs and their uses
Index(es):
- Date
- Thread