[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IKEv2 use of HMAC-SHA-1 for Key Derivation
On pages 23 and 33 of draft-ietf-ipsec-ikev2-03.txt, there is a discussion
of the use of HMAC-SHA1 for key derivation. I have no doubt that this
construction is secure, but I do wonder if it is overkill.
HMAC-SHA1 was designed as a packet integrity mechanism. The designers
needed to deal with many concerns that are not obviously (at least to me)
needed to generate a good key derivation function.
Can anyone tell me the properties HMAC-SHA1 that are needed here that are
not otherwise provided by a straightforward application of SHA1?
Putting it another way, the current document uses:
T1 = HMAC-SHA1(K, S | 0x01)
T2 = HMAC-SHA1(K, T1 | S | 0x02)
T3 = HMAC-SHA1(K, T2 | S | 0x03)
T4 = HMAC-SHA1(K, T3 | S | 0x04)
What needed property does this construction have that is not provided by
the following?
T1 = SHA1(K, S | 0x01)
T2 = SHA1(K, T1 | S | 0x02)
T3 = SHA1(K, T2 | S | 0x03)
T4 = SHA1(K, T3 | S | 0x04)
Thanks for any insights that can be provided.
Russ