[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: deriving keying material from the shared secret
- To: Steve Bellovin <smb@research.att.com>
- Subject: Re: deriving keying material from the shared secret
- From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
- Date: Mon, 01 Jul 1996 14:03:09 -0400
- Cc: ipsec@TIS.COM
- In-Reply-To: smb's message of Sun, 30 Jun 1996 19:18:51 -0400. <199606302320.TAA00201@smb.research.att.com>
- MMDF-Warning: Unable to confirm address in preceding line at neptune.TIS.COM
- MMDF-Warning: Unable to confirm address in preceding line at neptune.TIS.COM
- Sender: ipsec-approval@neptune.tis.com
All transforms which provide authentication and encryption need to
resist a known-plaintext key-recovery attack.
Using the strongest cryptographic part of the transform itself with
the shared secret as the *key* and some known plaintext as input might
be a good way to generate one or more keys for use by a given
transform. If you need multiple keys, use multiple different known
plaintexts.
In the event the transform can't deal with a variable-length key, do
some not-necessarily-cryptographic transform of the shared secret to
come up with the fixed-length key (like the kerberos string-to-key
bitwise-fanfold-and-xor approach).
Upside: the resulting key generation should be no weaker than the
transform itself is, assuming the shared secret is big enough.
For instance, for 3DES, you wouldn't weaken a 168-bit 3DES key to 160
or 128 bits by funnelling the key material through SHA or MD5.
Downside: you probably don't want to do this for algorithms where key
recovery might become practical (e.g., single-DES) because you'll leak
bits out of the shared secret that way.
- Bill