[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments regarding key stretching algorithm
On Fri, 14 Dec 2001, Andrew Krywaniuk wrote:
> > >The problem is that no matter how large you make your DH
> > exponent, the
> > >entropy in your key(s) is limited by the output of your hash.
> >
> > Why is this a problem? Are you worried about 2^160 work attacks?
>
>
> My line of reasoning is this:
>
> Every year, the guidelines for N year secrecy go up. This necessitates the
> use of stronger and stronger ciphers. MAC algorithms don't typically require
> N year secrecy so we can get away with SHA1-96. However, PRF algorithms do
> need N
> year secrecy when the PRF is used to create the encryption key.
>
> I agree that just because you use AES-128 that doesn't mean you need 128
> bits of security. However, if you are using AES with 192 or 256 bit keys,
> it's presumably because you require more than 128 bits of effective
> security. In order to match key strengths, you have to increase your DH
> group size *AND* you need to either choose a different PRF algorithm or you
> have to change the key stretching alrgorithm.
>
> The question I am asking is do we have to upgrade to SHA2 or TIGER solely
> for the purpose of key stretching, or could the protocol be fixed in another
> way?
The protocol does not need any fix. If someone decides to use in its
own implementation LONG DH groups and beyond 128-bit ciphers then that
someone will also use SHA2, TIGER or whatever for the prf.
Nothing in the protocol prevents that.
But asking everyone to use this overkill hashes when they feel perfectly
comfortable with Rijndael-128 makes no sense.
Hugo
References: