[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Summary of key derivation thread

To: Radia.Perlman@sun.com
Subject: Re: Summary of key derivation thread
From: "The Purple Streak, Hilarie Orman" <ho@alum.mit.edu>
Date: Thu, 5 Dec 2002 10:32:34 -0700
Cc: ipsec@lists.tislabs.com
In-reply-to: Yourmessage <200212050527.gB55Rfq07783@sydney.East.Sun.COM>
Sender: owner-ipsec@lists.tislabs.com

The high entropy problem can be solved without use of SHA-2.  The
method I proposed is for condensing the D-H value down to more than
one internal key.  Call these the CONDKEYs.  Each one's length is the
length of the output of the hash function.  You can use a prf or a
hash to derive them, but the prefix to hash must vary for each one.
Generate enough CONDKEYs so that their total length exceeds the entropy
of the DH exchange.

CONDKEY0 = intn_key_func(0x00 | DHVAL, some_other_stuff )
CONDKEY1 = intn_key_func(0x01 | DHVAL, some_other_stuff)
...

When deriving a long session key, use the CONDKEYs in sequence:

key_func(CONDKEY0, 0x00 | other_stuff)
key_func(CONDKEY1, 0x01 | other_stuff)
key_func(CONDKEY0, 0x02 | other_stuff)
...

For HMAC vs. hash, IKE uses HMAC to its advantage in authentication,
and that shouldn't be changed; it seems immaterial whether or not it
uses it for key derivation.

Hilarie

Follow-Ups:
- Re: Summary of key derivation thread
  - From: Russ Housley <housley@vigilsec.com>
- Re: Summary of key derivation thread
  - From: Hugo Krawczyk <hugo@ee.technion.ac.il>

References:
- Summary of key derivation thread
  - From: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>

Prev by Date: RE: question on IKE between HA & FA in 3GPP standard...
Next by Date: RE: difference in IKE main and aggressive mode
Prev by thread: Re: Summary of key derivation thread
Next by thread: Re: Summary of key derivation thread
Index(es):
- Date
- Thread