[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] Can CMAC and/or GMAC be substituted in an HMAC-styled KDF?

To: Robert Moskowitz <rgm-sec at htt-consult.com>
Subject: Re: [Cfrg] Can CMAC and/or GMAC be substituted in an HMAC-styled KDF?
From: Hugo Krawczyk <hugo at ee.technion.ac.il>
Date: Wed, 9 Dec 2009 12:29:40 -0500
Cc: cfrg at irtf.org
Delivered-to: cfrg at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:from:date:x-google-sender-auth:message-id:subject:to:cc :content-type; bh=STDzqNY1aRj8YY6ehSEtfkh5RJFqx9CYwdNyjTA7Iy4=; b=aOpXNzdMjCUnA/bzNWn4bDeg/cSWDRbGVhSoFgb8x/J9PGSO3Cl8NcYH99/L5mPL+h rcU1/WDV4fCs8QYAfgUWpddjqdioAw/LSlXuWJ7mNQfYarKsTfXJMcNPtl9nTv9enCq6 HOSkTQ7uSUmVgcj+GQEDsMEDOo0VMqd2aiWt4=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; b=nfDLudC2VwwmzMjN7iOPPm5nc+u++/KZ4+Z9lnsDUlhAbihliJZgxu9fVp/s7khObP GJyeOs89SlVaq9k1HoZCVliuOpTmYRHWIPfsFUXu6rhXcI3mGLl5fDCHc/yoq/ok8PpL kMX9zvQ9mfQmLW48IGUDJPItQgwhKxXLm7Z/A=
In-reply-to: <4B1FC438.9070602 at htt-consult.com>
List-archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-help: <mailto:cfrg-request@irtf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.irtf.org>
List-post: <mailto:cfrg@irtf.org>
List-subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
List-unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
References: <4B1FC438.9070602 at htt-consult.com>
Sender: hugokraw at gmail.com

Bob,

I believe these questions were answered in recent discussions in the list, in particular the recent exchange with Zooko.
At the risk of boring everyone else, I will repeat:

Being a secure MAC does NOT mean being a secure KDF. That is, you can have a very secure MAC that is a bad KDF, and a very insecure MAC that is very secure as KDF. In particular, one essential difference between the two functionalities is: a MAC function does NOT exist without a secret key and a HKDF does NOT have a secret key.

That is why the proposed scheme is called HKDF and not HMAC. It is NOT the same construction even if HKDF uses HMAC as a component.

Regarding GMAC please also see the recent exchange with Zooko.
The same considerations as for using Poly1305 or UMAC apply to GMAC. You could use GHASH as part of (a statistical) extractor/KDF but then you would need much larger parameters than those used for GMAC as MAC and other additional processing.

As for CMAC, you could use it, in principle, but you would need to be careful about HOW to use it. In particular, how are you going to key the cipher, what happens when you need more bits of output than those coming out of the cipher (e.g. you want a key for AES-256 but the output is only 128 bits), and even if your application can get all things right, the analytical results for this construction are weaker than for HMAC. For example, the only results we have for block ciphers as extractors assume these ciphers are ideal random permutations (even if you can use salt to key the cipher) while for HMAC, in many usage scenarios you do not need to resort to ideal assumptions.

Hugo

On Wed, Dec 9, 2009 at 10:37 AM, Robert Moskowitz <rgm-sec at htt-consult.com> wrote:

I am working on addressing the crypto-agility needs of HIP, and feel that I should go as far as possible. Thus instead of staying locked in to HMAC of the selected hash, I want to allow other MACs, most likely CMAC and GMAC as they are 'NIST approved' (for some case of approved :) ).

So of course there are a couple of uses of HMAC, from MACing within the protocol to the KDF. The NIST documents explain how to use these MACs for their data MACing purpose, but I am hazy on the KDF part, particularly in light of the KDF discussions going on here.

So for my 1st approximation of KDFs based on CMAC or GMAC, can they be directly substituted for HMAC. I think that part of the answer for GMAC will be 'where is the IV'...

The 2nd level becomes a best practice KDF available now (or in the next 2 months) that supports a selection of interchangeable MACs.

Or do we write up the KDF separately for each supported MAC.

_______________________________________________
Cfrg mailing list
Cfrg at irtf.org
http://www.irtf.org/mailman/listinfo/cfrg

Follow-Ups:
- Re: [Cfrg] Can CMAC and/or GMAC be substituted in an HMAC-styled KDF?
  - From: Robert Moskowitz
- Re: [Cfrg] Can CMAC and/or GMAC be substituted in an HMAC-styled KDF?
  - From: Zooko Wilcox-O'Hearn

References:
- [Cfrg] Can CMAC and/or GMAC be substituted in an HMAC-styled KDF?
  - From: Robert Moskowitz

Prev by Date: [Cfrg] Can CMAC and/or GMAC be substituted in an HMAC-styled KDF?
Next by Date: Re: [Cfrg] Can CMAC and/or GMAC be substituted in an HMAC-styled KDF?
Previous by thread: [Cfrg] Can CMAC and/or GMAC be substituted in an HMAC-styled KDF?
Next by thread: Re: [Cfrg] Can CMAC and/or GMAC be substituted in an HMAC-styled KDF?
Index(es):
- Date
- Thread