Re: IKEv2 use of HMAC-SHA-1 for Key Derivation

[Hugo Krawczyk <hugo@ee.technion.ac.il>]

On Thu, 5 Dec 2002, Andrew Krywaniuk wrote:

> > >      T1 = HMAC-SHA1(0x00 | K, S)
> > >      T2 = HMAC-SHA1(0x01 | K, T1 | S)
> > >      T3 = HMAC-SHA1(0x02 | K, T2 | S |
> > >      T4 = HMAC-SHA1(0x03 | K, T3 | S )
> >
> >This doesn't help at all. You can still find K in 2^160 operations
> >(note that a guess can always be validated via the derived keys which
> >produce visible outputs in the protocol).
> 
> This may be a tangent, but I just don't see how the above claim could be 
> correct.

Simply because at this point of the jey derivation K=SKEYSEED which is
already 160-bit long!

> 
> 
> >There is no silliness here.
> >And, as I said,  for those that want >160 bits there are longer key hash
> >functions to use
> 
> The issue is that the new hash functions (such as SHA-2) are slow, and no 
> one wants to implement them solely for the purpose of key derivation (since 
> no one is asking for a stronger per-packet hash).

Come on. Whoever is worried about 2^160 Ccomplexity attack should at least
be willing to use a slower hash function. Did you think of what the
complexity of using a DH group of > 160 bit of security will be?
And you can also use AES-192...

Hugo

> 
> Andrew
> --------------------------------------
> The odd thing about fairness is when
> we strive so hard to be equitable
> that we forget to be correct.
> 
> 
> 
> _________________________________________________________________
> Add photos to your e-mail with MSN 8. Get 2 months FREE*. 
> http://join.msn.com/?page=features/featuredemail
> 
>