[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEv2 use of HMAC-SHA-1 for Key Derivation

To: hugo@ee.technion.ac.il
Subject: Re: IKEv2 use of HMAC-SHA-1 for Key Derivation
From: "Andrew Krywaniuk" <askrywan@hotmail.com>
Date: Thu, 05 Dec 2002 00:59:04 -0500
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

> >      T1 = HMAC-SHA1(0x00 | K, S)
> >      T2 = HMAC-SHA1(0x01 | K, T1 | S)
> >      T3 = HMAC-SHA1(0x02 | K, T2 | S |
> >      T4 = HMAC-SHA1(0x03 | K, T3 | S )
>
>This doesn't help at all. You can still find K in 2^160 operations
>(note that a guess can always be validated via the derived keys which
>produce visible outputs in the protocol).

This may be a tangent, but I just don't see how the above claim could be 
correct.


>There is no silliness here.
>And, as I said,  for those that want >160 bits there are longer key hash
>functions to use

The issue is that the new hash functions (such as SHA-2) are slow, and no 
one wants to implement them solely for the purpose of key derivation (since 
no one is asking for a stronger per-packet hash).

Andrew
--------------------------------------
The odd thing about fairness is when
we strive so hard to be equitable
that we forget to be correct.



_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail

Follow-Ups:
- Re: IKEv2 use of HMAC-SHA-1 for Key Derivation
  - From: Hugo Krawczyk <hugo@ee.technion.ac.il>

Prev by Date: difference in IKE main and aggressive mode
Next by Date: Re: Summary of key derivation thread
Prev by thread: Re: IKEv2 use of HMAC-SHA-1 for Key Derivation
Next by thread: Re: IKEv2 use of HMAC-SHA-1 for Key Derivation
Index(es):
- Date
- Thread