[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problem+fix in Zero Message Master Key update

To: ashar@osmosys.incog.com (Ashar Aziz)
Subject: Re: Problem+fix in Zero Message Master Key update
From: " " <amir@watson.ibm.com>
Date: Wed, 04 Jan 1995 17:58:52 -0500
Cc: amir@watson.ibm.com, ipsec@ans.net
In-Reply-To: Your message of "Wed, 04 Jan 1995 13:39:48 PST." <9501042139.AA10360@miraj.>

Hi Ashar and all,

> > I think there is some added security in having Kijn=MD5(g^ij, n), (formally,
> > a pseudo-random function with key g^ij on operand n), since then Kijn is
> > secure as long as the long-lived, rarely used g^ij is not exposed.
>
> One of the disadvantages of MD5 is that you are limited to 128 bits.
> (Three key triple DES uses more than 128 bits). g^nij always gives 1024
> bits, when using 1024 bit moduli. In theory this could be alleviated by
> using hash functions with larger block sizes (e.g SHA).

This is easy to resolve, by having Kijn=K'ijn1 || ... || K'ijnl
(where l is selected to give you enough bits)
and let K'ijnq=MD5(n, q, g^ij)

While this may seem complicated at first sight, this is in reality both
simple and very efficient. Give a second look.

As usual, MD5 above is just a reasonable example and could be substituted by
your favorite pseudo-random function (with key g^ij), e.g. SHA. (BTW, if using
MD5, one should use the order above rather than as I originally wrote)

Is there any disadvantage to this?

Best, Amir

References:

Re: Problem+fix in Zero Message Master Key update

From: ashar@osmosys.incog.com (Ashar Aziz)

Prev by Date: Re: Clogging attacks on SKIP
Next by Date: Re: Clogging attacks on SKIP
Prev by thread: Re: Problem+fix in Zero Message Master Key update
Next by thread: Re: Clogging attacks on SKIP
Index(es):
- Main
- Thread