[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Some comments to draft-ietf-ipsec-ikev2-00.txt



> As a general pricniple,
> if you have two keys k and k' where k' was derived from k
> then applying prf(k', k) (here k' is the key to the prf and k
> the input)
> may be insecure even if prf is an excelent pseudorandom
> function family

Okay, I believe you.

But both of these issues deal with key stretching, although in one case the
input is public information and in one case the input is private
information.

If SKEYSEED = prf(Ni | Nr, g^ir) and we use the generic stretching algorithm
then it does no good to make Ni and Nr any bigger than the output of the
hash. If that is the case then many of us ought to be changing our code to
use smaller nonces, since large nonces are merely wasting entropy and
bandwidth. (And the draft ought to talk about how to choose an appropriate
length nonce.)


In the case of:

       K1 = prf(SKEYSEED_e, 0)
       K2 = prf(SKEYSEED_e, K1)
       K3 = prf(SKEYSEED_e, K2)

The problem is that no matter how large you make your DH exponent, the
entropy in your key(s) is limited by the output of your hash. This was
brought up a couple of times in reference to IKEv1 and I had assumed that we
would be fixing it in IKEv2. Isn't there a way to get around this problem,
or do we all need to go and implement SHA-2 solely for the purpose of key
stretching?

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.




Follow-Ups: References: