idnits 2.17.1 draft-horowitz-key-derivation-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-03-29) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 4 longer pages, the longest (page 1) being 63 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** The abstract seems to contain references ([Blumenthal96]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'Blumenthal96' Summary: 10 errors (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Horowitz 3 Cygnus Solutions 4 Internet-Draft November, 1996 6 Key Derivation for Authentication, Integrity, and Privacy 8 Status of this Memo 10 This document is an Internet-Draft. Internet-Drafts are working 11 documents of the Internet Engineering Task Force (IETF), its areas, 12 and its working groups. Note that other groups may also distribute 13 working documents as Internet-Drafts. 15 Internet-Drafts are draft documents valid for a maximum of six months 16 and may be updated, replaced, or obsoleted by other documents at any 17 time. It is inappropriate to use Internet-Drafts as reference 18 material or to cite them other than as ``work in progress.'' 20 To learn the current status of any Internet-Draft, please check the 21 ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow 22 Directories on ds.internic.net (US East Coast), nic.nordu.net 23 (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific 24 Rim). 26 Distribution of this memo is unlimited. Please send comments to the 27 author. 29 Abstract 31 Recent advances in cryptography have made it desirable to use longer 32 cryptographic keys, and to make more careful use of these keys. In 33 particular, it is considered unwise by some cryptographers to use the 34 same key for multiple purposes. Since most cryptographic-based 35 systems perform a range of functions, such as authentication, key 36 exchange, integrity, and encryption, it is desirable to use different 37 cryptographic keys for these purposes. 39 This document does not define a particular protocol, but defines 40 a set of cryptographic transformations for use with arbitrary network 41 protocols and block cryptographic algorithm. 43 Deriving Keys 45 In order to use multiple keys for different functions, there are two 46 possibilities: 48 - Each protocol ``key'' contains multiple cryptographic keys. The 49 implementation would know how to break up the protocol ``key'' for 50 use by the underlying cryptographic routines. 52 - The protocol ``key'' is used to derive the cryptographic keys. 53 The implementation would perform this derivation before calling 54 the underlying cryptographic routines. 56 In the first solution, the system has the opportunity to provide 57 separate keys for different functions. This has the advantage that 58 if one of these keys is broken, the others remain secret. However, 59 this comes at the cost of larger ``keys'' at the protocol layer. In 60 addition, since these ``keys'' may be encrypted, compromising the 61 cryptographic key which is used to encrypt them compromises all the 62 component keys. Also, the not all ``keys'' are used for all possible 63 functions. Some ``keys'', especially those derived from passwords, 64 are generated from limited amounts of entropy. Wasting some of this 65 entropy on cryptographic keys which are never used is unwise. 67 The second solution uses keys derived from a base key to perform 68 cryptographic operations. By carefully specifying how this key is 69 used, all of the advantages of the first solution can be kept, while 70 eliminating some disadvantages. In particular, the base key must be 71 used only for generating the derived keys, and this derivation must 72 be non-invertible and entropy-preserving. Given these restrictions, 73 compromise of one derived keys does not compromise the other subkeys. 74 Attack of the base key is limited, since it is only used for 75 derivation, and is not exposed to any user data. 77 Since the derived key has as much entropy as the base keys (if the 78 cryptosystem is good), password-derived keys have the full benefit of 79 all the entropy in the password. 81 To generate a derived key from a base key: 83 Derived Key = DK(Base Key, Well-Known Constant) 85 where 87 DK(Key, Constant) = n-fold(E(Key, Constant)) 89 In this construction, E(Key, Plaintext) is a block cipher, Constant 90 is a well-known constant defined by the protocol, and n-fold is an 91 algorithm which takes m input bits and ``stretches'' them to form n 92 output bits with no loss of entropy, as described in [Blumenthal96]. 93 In this document, n-fold is always used to produce n bits of output, 94 where n is the key size of E. 96 If the output of E is is shorter than n bits, then some entropy in 97 the key will be lost. If Constant is not a multiple of the block 98 size of E, then Constant must be padded so it may be encrypted. If 99 the Constant is larger than the block size, then it must be folded 100 down to the block size to avoid chaining, which affects the 101 distribution of entropy. 103 In any of these situations, a variation of the above construction is 104 used, where the Constant is encrypted in Counter Output Mode: 106 DK(Key, Constant) = n-fold(E-COM(Key, Constant)) 108 Constant is padded to the next multiple of the block size of E with 109 zero octets. If the Constant is a multiple of the block size, but 110 less than the key size, then a full block of octets must be appended. 111 If the resulting padded Constant is larger than a single block, the 112 n-fold algorithm must be used to fold the constant down to the number 113 of bits in a single block. Next, E(Key, padded Constant) is 114 computed. If the output of this encryption is less than the key 115 size, then the padding octets are each incremented (yielding some 116 number of octets having the value one), and E(Key, padded Constant) 117 is computed again and appended to the result. This process is 118 repeated until the output result is larger than the key size. (Note 119 that with some cryptosystems, such as DES ECB, this is equivalent to 120 concatenating the padded Constants and encrypting once.) 122 This output is then n-folded to produce the derived key. 124 Since the derived key is the result of an encryption the base key, 125 deriving the base key from the derived key is equivalent to 126 determining the key from a single plaintext/ciphertext pair. Thus, 127 this construction is as strong as the cryptosystem itself, as long as 128 no entropy is lost in this transformation. 130 Deriving Keys from Passwords 132 When protecting information with a password or other user data, it is 133 necessary to convert an arbitrary bit string into an encryption key. 134 In addition, it is sometimes desirable that the transformation from 135 password to key be difficult to reverse. A simple variation on the 136 construction in the prior section can be used: 138 Key = DK(n-fold(Password), Well-Known Constant) 140 The n-fold algorithm is reversible, so recovery of the n-fold output 141 is equivalent to recovery of Password. However, recovering the n- 142 fold output is difficult for the same reason recovering the base key 143 from a derived key is difficult. 145 Traditionally, the transformation from plaintext to ciphertext, or 146 vice versa, is determined by the cryptographic algorithm and the key. 147 A simple way to think of derived keys is that the transformation is 148 determined by the cryptographic algorithm, the constant, and the key. 149 Another way to think of derived keys is to think of them as derived 151 For interoperability, the constants used to derive keys for different 152 purposes must be specified in the protocol specification. The 153 constants must not be specified on the wire, or else an attacker who 154 determined one derived key could spoof data using that derived key, 155 rather than the one the protocol designer intended. 157 Determining which parts of a protocol require their own constants is 158 an issue for the designer of protocol using derived keys. 160 Security Considerations 162 This entire document deals with security considerations relating to 163 the use of cryptography in network protocols. 165 Acknowledgements 167 I would like to thank Uri Blumenthal and Bill Sommerfeld for their 168 contributions to this document. 170 References 172 [Blumenthal96] Blumenthal, U., "A Better Key Schedule for DES-Like 173 Ciphers", Proceedings of PRAGOCRYPT '96, 1996. 175 Author's Address 177 Marc Horowitz 178 Cygnus Solutions 179 955 Massachusetts Avenue 180 Cambridge, MA 02139 182 Phone: +1 617 354 7688 183 Email: marc@cygnus.com