Re: Problem+fix in Zero Message Master Key update

[" " <amir@watson.ibm.com>]

Ashar says:
>
> The intent of this proposal was to prevent playback of traffic
> keys (Kp), under the assumption that traffic keys could be broken
> but not master keys.

But, what the proposal really did was to introduce another layer of keys.
You'll have g^ij as the `long lived master key' and Kijn as the `medium
lived master keys' (in addition to the short lived Kp).

Therefore I thought the goal is to protect Kijn from exposure of Kijl where
l<n. It now appears that you intended only to change Kijn in an arbitrary
way, to protect against reuse of Kp. For this purpose, it is enough to
Have e.g. Kijn=MD5(Kij(n-1)) (formally, have Kijn the n^th output of
pseudo-random generator).

I think there is some added security in having Kijn=MD5(g^ij, n), (formally,
a pseudo-random function with key g^ij on operand n), since then Kijn is
secure as long as the long-lived, rarely used g^ij is not exposed.

> > It is simple to solve this (also more efficiently) by
> >
> > Kijn=h(g^ij,n)
>
> I dont have any serious objections to using a one-way hash function
> like MD5 as specified above. However, the same thing applies. Knowledge
> of g^ij, reveals all Kijn. It's principal advantage is that this is
> more efficient

So, also more secure.

Best, Amir

---

References:

• Re: Problem+fix in Zero Message Master Key update
• From: ashar@osmosys.incog.com (Ashar Aziz)

---

• Prev by Date: Re: Problem+fix in Zero Message Master Key update
• Next by Date: Re: Problem+fix in Zero Message Master Key update
• Prev by thread: Re: Problem+fix in Zero Message Master Key update
• Next by thread: Re: Problem+fix in Zero Message Master Key update
• Index(es):
  • Main
  • Thread