[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKEv2 use of HMAC-SHA-1 for Key Derivation
> > T1 = HMAC-SHA1(0x00 | K, S)
> > T2 = HMAC-SHA1(0x01 | K, T1 | S)
> > T3 = HMAC-SHA1(0x02 | K, T2 | S |
> > T4 = HMAC-SHA1(0x03 | K, T3 | S )
>
>This doesn't help at all. You can still find K in 2^160 operations
>(note that a guess can always be validated via the derived keys which
>produce visible outputs in the protocol).
This may be a tangent, but I just don't see how the above claim could be
correct.
>There is no silliness here.
>And, as I said, for those that want >160 bits there are longer key hash
>functions to use
The issue is that the new hash functions (such as SHA-2) are slow, and no
one wants to implement them solely for the purpose of key derivation (since
no one is asking for a stronger per-packet hash).
Andrew
--------------------------------------
The odd thing about fairness is when
we strive so hard to be equitable
that we forget to be correct.
_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail