[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IKEv2 use of HMAC-SHA-1 for Key Derivation

To: ipsec@lists.tislabs.com
Subject: IKEv2 use of HMAC-SHA-1 for Key Derivation
From: Russ Housley <housley@vigilsec.com>
Date: Tue, 26 Nov 2002 09:42:20 -0500
Sender: owner-ipsec@lists.tislabs.com

On pages 23 and 33 of draft-ietf-ipsec-ikev2-03.txt, there is a discussion 
of the use of HMAC-SHA1 for key derivation.  I have no doubt that this 
construction is secure, but I do wonder if it is overkill.

HMAC-SHA1 was designed as a packet integrity mechanism.  The designers 
needed to deal with many concerns that are not obviously (at least to me) 
needed to generate a good key derivation function.

Can anyone tell me the properties HMAC-SHA1 that are needed here that are 
not otherwise provided by a straightforward application of SHA1?

Putting it another way, the current document uses:

    T1 = HMAC-SHA1(K, S | 0x01)
    T2 = HMAC-SHA1(K, T1 | S | 0x02)
    T3 = HMAC-SHA1(K, T2 | S | 0x03)
    T4 = HMAC-SHA1(K, T3 | S | 0x04)

What needed property does this construction have that is not provided by 
the following?

    T1 = SHA1(K, S | 0x01)
    T2 = SHA1(K, T1 | S | 0x02)
    T3 = SHA1(K, T2 | S | 0x03)
    T4 = SHA1(K, T3 | S | 0x04)

Thanks for any insights that can be provided.

Russ

Follow-Ups:
- Re: IKEv2 use of HMAC-SHA-1 for Key Derivation
  - From: "The Purple Streak, Hilarie Orman" <ho@alum.mit.edu>
- Re: IKEv2 use of HMAC-SHA-1 for Key Derivation
  - From: Hugo Krawczyk <hugo@ee.technion.ac.il>

Prev by Date: NAT Traversal in IKEv2
Next by Date: Re: Rekey of IKE-SA
Prev by thread: Re: How important is identity protecton?
Next by thread: Re: IKEv2 use of HMAC-SHA-1 for Key Derivation
Index(es):
- Date
- Thread