[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: deriving keying material from the shared secret

To: Steve Bellovin <smb@research.att.com>
Subject: Re: deriving keying material from the shared secret
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Date: Mon, 01 Jul 1996 14:03:09 -0400
Cc: ipsec@TIS.COM
In-Reply-To: smb's message of Sun, 30 Jun 1996 19:18:51 -0400. <199606302320.TAA00201@smb.research.att.com>
MMDF-Warning: Unable to confirm address in preceding line at neptune.TIS.COM
MMDF-Warning: Unable to confirm address in preceding line at neptune.TIS.COM
Sender: ipsec-approval@neptune.tis.com

All transforms which provide authentication and encryption need to
resist a known-plaintext key-recovery attack.

Using the strongest cryptographic part of the transform itself with
the shared secret as the *key* and some known plaintext as input might
be a good way to generate one or more keys for use by a given
transform.  If you need multiple keys, use multiple different known
plaintexts.

In the event the transform can't deal with a variable-length key, do
some not-necessarily-cryptographic transform of the shared secret to
come up with the fixed-length key (like the kerberos string-to-key
bitwise-fanfold-and-xor approach).

Upside: the resulting key generation should be no weaker than the
transform itself is, assuming the shared secret is big enough.  

For instance, for 3DES, you wouldn't weaken a 168-bit 3DES key to 160
or 128 bits by funnelling the key material through SHA or MD5.

Downside: you probably don't want to do this for algorithms where key
recovery might become practical (e.g., single-DES) because you'll leak
bits out of the shared secret that way.

					- Bill

Prev by Date: Re: deriving keying material from the shared secret
Next by Date: Stream Cipher Transform -- revisited
Prev by thread: Re: deriving keying material from the shared secret
Next by thread: mailing list archive location?
Index(es):
- Main
- Thread