[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: change in isakmp/oakley

To: hugo@ee.technion.ac.il
Subject: Re: change in isakmp/oakley
From: ho@earth.hpc.org (Hilarie Orman)
Date: Mon, 29 Sep 1997 09:31:30 -0400
Cc: chk@utcc.utoronto.ca, rgm3@chrysler.com, ipsec@tis.com, dharkins@cisco.com
In-reply-to: Yourmessage <199709290728.KAA23246@ee.technion.ac.il>
Sender: owner-ipsec@ex.tis.com

I'd thought you were going to contrast collision resistance with
"mixing" and use that as the rationale for using prf for
authentication, hash for key derivation.  And I was going to
reply that we expect that the key for prf will always be at least
128 bits, so the point is moot, because the key always fills the
first input block for the one-way function.

Instead, the worry expressed is that the prf definition will allow key
truncation.  I'd never considered that a possibility, though I suppose
that is why correct composition is such a hard problem --- incomplete
specifications of the composition requirements.

Do the spec's allow the prf's to do key truncation?  What do they do
with keys longer than one block?  My own opinion is that truncation
is a severe bug in any case, and that it should be fixed.  This makes
their use for session key derivation moot.

Hilarie

Follow-Ups:

Re: change in isakmp/oakley

From: Daniel Harkins <dharkins@cisco.com>

References:

Re: change in isakmp/oakley

From: Hugo Krawczyk <hugo@ee.technion.ac.il>

Prev by Date: Re: change in isakmp/oakley
Next by Date: Re: change in isakmp/oakley
Prev by thread: Re: change in isakmp/oakley
Next by thread: Re: change in isakmp/oakley
Index(es):
- Main
- Thread