[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Photuris - deriving per-algorithm keys

To: IPSEC@ans.net, hugo@watson.ibm.com
Subject: Re: Photuris - deriving per-algorithm keys
From: rogaway@cs.ucdavis.edu (Phil Rogaway)
Date: Mon, 18 Sep 95 11:49:44 PDT

 > "Slightly different keys" for different algorithms is not enough!!!
 > 
 > Such keys have to be "independent and random". In particular, knowing
 > One of the keys (e.g., for DES) should leak nothing about the other key
 > (e.g., for keyed-MD5).
 
Hugo is, of course, absolutely right.  

Performing key separation is essential; in its absence, the architecture 
should not claim to be transform non-specific.   

I have earlier tried (unsuccessfully) to draw attention to this gap. 
Perhaps Hugo's note will be more successful.

   ... 

 > Have you ignored key separation?  It wasn't clear to me if you expect
 > key separation to be done by the key-distribution mechanism or within
 > the various AH and ESP mechanisms.   In the first case this is an
 > architectural requirement which you are effectively levying on the key
 > distribution mechanism, so you should say so; in the second case, you
 > are levying this requirement on each MAC and encryption mechanism, and
 > you should say that.
 >
 > Eg:  Suppose you distribute a session key for A-->B and you use this
 > SAME session key for DES-CBC-MAC authentication and DES-CBC encryption
 > (in an AH and ESP mechanism, respectively).  Then clearly the
 > encryption mechanism destroys the authenticity you thought you were
 > getting from the authentication mechanism.  There are two outs:  the
 > architecture specifies that distinct session key distributions are
 > used for each mechanism; or else the architecture lets mechanisms
 > share distributed keys, but each mechanism is expected to produce and
 > act using its own key variant, said key variants not being related to
 > one another by any efficiently-computable means.

   ...
 
 > Key separation is very important.  A failure to perform proper key
 > separation will almost certainly cause security "interaction" problems
 > if the set of supported MAC and encryption mechanisms becomes
 > reasonably populated.  If the architecture document doesn't mandate
 > who does this, no one will do it.
 > 

                                 2/16/95
                                 e-mail to Atkinson et. al.

Prev by Date: Re: Photuris questions
Next by Date: Re: Photuris questions
Prev by thread: Photuris - deriving per-algorithm keys
Next by thread: Photuris use of SPI during Signature step
Index(es):
- Main
- Thread