independence of keying material for multiple transforms

[Greg Troxel <gdt@bbn.com>]

I've only been dimly following IPSEC for a while, and am trying to pay
attention more.  Thus this comment is from someone less familiar with
the documents; I hope this perspective is useful in that it might
cause an unwritten shared assumption to be written down clearly.

I'd like to concur with the notion expressed in a recent message that
documents explicitly make the point that when raw keying material is
used to generate blobs that whatever entropy was 'used' to generate
this not be reused when generating another blob.  Or perhaps, that it
should be computationally infeasible to determine information about
any bit in blob A given the entire contents of blobs B,C,D.

This may seem obvious, and I get the impression that most/all people
are thinking this, but it wasn't said explicitly in Ran's phrasing.
I'm not comfortably sure that all readers would get this nuance,
particularly if they aren't aspiring Real Cryptographers.

        Greg Troxel <gdt@bbn.com>  +1 617 873 2494

---

Follow-Ups:

• Re: independence of keying material for multiple transforms
• From: Uri Blumenthal <uri@watson.ibm.com>

---

• Prev by Date: Re: allocation of key material into keys
• Next by Date: allocation of key material into keys
• Prev by thread: Re: proposed IPSEC changes/extensions
• Next by thread: Re: independence of keying material for multiple transforms
• Index(es):
  • Main
  • Thread