[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Photuris - deriving per-algorithm keys

To: IPSEC@ans.net
Subject: Photuris - deriving per-algorithm keys
From: hugo@watson.ibm.com
Date: Mon, 18 Sep 95 10:32:26 EDT

 >
 > > If both AH and ESP are indicated by one SPI, then how are the keys for
 > > the two modes assigned?  Are there two separate keys?
 > >
 > The same key bitstuff is reused.  There are two separate session-keys
 > only when two separate SPIs.  SPI => session-key, remember?
 >
 > Note that specifically using MD5 and DES, there will be two slightly
 > different keys anyway, since MD5 uses the entire generated key, while
 > DES uses only the first 64-bits and inserts parity.  But they are
 > obviously algorithmically derived.
 >

"Slightly different keys" for different algorithms is not enough!!!

Such keys have to be "independent and random". In particular, knowing
one of the keys (e.g., for DES) should leak nothing about the other key
(e.g., for keyed-MD5).

[Example: assume your 56 bits of DES are a prefix of the 128 bits of MD5.
Then exhaustive search of MD5 key is reduced from 2^128 to 2^72 by just
attacking the DES key in 2^56 steps, and then recovering the additional 72
bits of MD5 in 2^72. The latter seems as an unrealistic number, however
potential slight weaknesses of keyed-MD5 may take a big advantage of this
128 to 72 bits security reduction. Moreover, a not-impossible
future "total breaking" of MD5 (say, requiring 2^32 steps to find the key)
will reduce the securtiy of your encryption to 2^32.]

One way to derive different keys for different algorithms from a single
session key SK is to use a keyed-hash function (more precisely, a
pseudorandom function) that uses SK as the key and an "algorithm identifier"
as argument. For example, if DES is assigned identifier '01234567' and
keyed-MD5 identifier '98765432', then

DES-KEY = 56 bits of HASH(SK, '01234567')
MD5-KEY = 128 bits of  HASH(SK, '98765432')

The algorithm identifiers are the standard code assigned to the algorithm
and used, e.g., in the attributes list. These HASH function can have a
variable output size, corresponding to different key lengths for different
algorithms.

This keyed-hash function HASH (should be called "pseudorandom")
is also an atribute to appear in the attributes list. One has to be chosen
as default.

Hugo

Prev by Date: Re: going forward
Next by Date: Re: going forward
Prev by thread: Re: MDx signatures
Next by thread: Re: Photuris - deriving per-algorithm keys
Index(es):
- Main
- Thread