[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Problem+fix in Zero Message Master Key update
> From ipsec-request@ans.net Wed Jan 4 09:07 PST 1995
> Therefore I thought the goal is to protect Kijn from exposure of Kijl where
> l<n. It now appears that you intended only to change Kijn in an arbitrary
> way, to protect against reuse of Kp. For this purpose, it is enough to
> Have e.g. Kijn=MD5(Kij(n-1)) (formally, have Kijn the n^th output of
> pseudo-random generator).
There were also other variants of the g^nij exponentiation scheme,
which I haven't yet described, which were intended to allow
zero-message perfect forward secrecy. The reason I haven't
described this approach is that it's not very practical,
becuse it only works for closed groups of nodes. (It also
was intended to eliminate long term keys, as you alluded to,
but I didn't find a way to make such a scheme practical).
Wrt to the repeated hashing i.e Kijn = h(Kij(n-1)), one of the advantages
of the g^nij (and also the h(g^ij, n)) scheme is that it is easy to go to
level n of the key (i.e giant stepping).
By repeated hashing, one has to pay a greater computational cost for
higher values of n, if one starts from the 0th level.
> I think there is some added security in having Kijn=MD5(g^ij, n), (formally,
> a pseudo-random function with key g^ij on operand n), since then Kijn is
> secure as long as the long-lived, rarely used g^ij is not exposed.
One of the disadvantages of MD5 is that you are limited to 128 bits.
(Three key triple DES uses more than 128 bits). g^nij always gives 1024
bits, when using 1024 bit moduli. In theory this could be alleviated by
using hash functions with larger block sizes (e.g SHA).
Regards,
Ashar.
Follow-Ups: