Re: Comments regarding key stretching algorithm

["Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>]

> >The problem is that no matter how large you make your DH
> exponent, the
> >entropy in your key(s) is limited by the output of your hash.
>
> Why is this a problem?  Are you worried about 2^160 work attacks?


My line of reasoning is this:

Every year, the guidelines for N year secrecy go up. This necessitates the
use of stronger and stronger ciphers. MAC algorithms don't typically require
N year secrecy so we can get away with SHA1-96. However, PRF algorithms do
need N
year secrecy when the PRF is used to create the encryption key.

I agree that just because you use AES-128 that doesn't mean you need 128
bits of security. However, if you are using AES with 192 or 256 bit keys,
it's presumably because you require more than 128 bits of effective
security. In order to match key strengths, you have to increase your DH
group size *AND* you need to either choose a different PRF algorithm or you
have to change the key stretching alrgorithm.

The question I am asking is do we have to upgrade to SHA2 or TIGER solely
for the purpose of key stretching, or could the protocol be fixed in another
way?

-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.

---

Follow-Ups:

• Re: Comments regarding key stretching algorithm
• From: Hugo Krawczyk <hugo@ee.technion.ac.il>

References:

• Re: Some comments to draft-ietf-ipsec-ikev2-00.txt
• From: daw@mozart.cs.berkeley.edu (David Wagner)

---

• Prev by Date: comment on draft-spencer-ipsec-ike-implementation-01.txt
• Next by Date: Re: Comment regarding Nonce size
• Prev by thread: Re: Some comments to draft-ietf-ipsec-ikev2-00.txt
• Next by thread: Re: Comments regarding key stretching algorithm
• Index(es):
  • Main
  • Thread