[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKE entropy issues with long keys
Wes, this is in answer to your message from Feb 2nd
and to the following
On 5 Feb 2001, Wes Hardaker wrote:
>
> I wasn't suggesting the problem be solved (since its too late). It
> should, IMHO, be at least mentioned in the documents even if the
> problem itself is ignored and not solved.
There is no problem to solve.
The design of key derivation in IKE is correct.
If you want to use Blowfish with 448-bit key (as in your example)
and you feel that your current hash function is not strong enough then
upgrade the prf: for example, use Blowfish with 448-bit in CBC-MAC mode as
your prf.
Doing repeated DH exchanges as you suggested in a previous message does
not upgrade the security of the whole thing. It still remains the
minimum between the security of DH and the security of the prf.
BTW, since we are not talking about brute force here (any of the
hash algorithms in current use are goood enough in that sense)
then we are talking cryptanalysis. Now, the feedback mode in
the definition of key derivation in IKE was introduced exactly to
make cryptanalysis very hard. Think about how much known plaintext you
have, and how many applications of the prf with the same key the
attacker sees. This is NOT like an attacker against the data encryption
function who sees lots of plaintext encrypted under the same key and
may know or even choose the encrypted plaintexts.
Crypto design is NOT based in simplistic (entropy or other) arithmetics
but in careful protocol analysis and reduction of the protocol strength to
the assumed difficulty of breaking the underlying crypto functions.
Hugo
Follow-Ups:
References: