Re: comments on draft-ietf-ipsec-isakmp-oakley-06.txt

[Lewis McCarthy <lmccarth@cs.umass.edu>]

D. Hugh Redelmeier writes:
> Section 5.5 describes how to cook up more keying material, if it is
> needed:
> 
>    For situations where the amount of keying material desired is greater
>    than that supplied by the prf, KEYMAT is expanded by feeding the
>    results of the prf back into itself and concatenating results until
>    the required keying material has been reached. In other words,
> 
> I'm not a cryptographer, but...  This sounds like something for
> nothing.  What are the cryptographic implications of generating extra
> keying material this way?  I think that the document should address
> this question.

The expansion technique increases the _length_, not the _strength_, of 
the keying material. I'm inferring that you thought Sec. 5.5 purported 
to increase both, thus gaining "something for nothing". 

The feedback loop through the PRF is intended to spread the entropy of 
the seed keying material through the sequel. (I'm vigorously waving my 
hands here.)

-- 
Lewis    http://www.cs.umass.edu/~lmccarth/    "In our opinion
provable security is nothing more than a phantom, similar to
the perpetuum mobile in thermodynamics."  -- Joan Daemen, 1995

---

References:

• comments on draft-ietf-ipsec-isakmp-oakley-06.txt
• From: hugh@mimosa.com ("D. Hugh Redelmeier")

---

• Prev by Date: ESP - authenticationless OR encryptionless?
• Next by Date: Re: IPSEC tunnels and Mobile IP
• Prev by thread: Re: comments on draft-ietf-ipsec-isakmp-oakley-06.txt
• Next by thread: comments on draft-ietf-ipsec-isakmp-08.txt
• Index(es):
  • Main
  • Thread