[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Summary of key derivation thread
Uri Blumenthal wrote:
>Now, the analysis (as far as I know) was done for the MAC case. There
>was no analysis done for PRF, and in any case in order to use HMAC as
>a secure PRF you'd need to assume that SHA is a secure PRF. But if it
>is so (i.e. if SHA is a secure PRF) - then you don't need the extras
>that HMAC provides.
Uri,
That's not correct. It is reasonable to view HMAC as a PRF,
but it is not reasonable to view SHA as a secure PRF (actually,
I'm not sure what the latter would mean, but it doesn't matter).
Anyway, what you say is wrong. There are good reasons to use
SHA-HMAC instead of plain SHA in this setting.
I've explained this before, but I'll do it again. Let me
cut-and-paste from an earlier email to you:
: It's true that the original Bellare/Canetti/Krawczyk paper only
: gave security theorems for HMAC as a MAC, and didn't analyze HMAC
: as a PRF. However, it's not too hard to adapt their theorems.
: Basically, if the keyed compression function is a secure PRF
: on single-block messages and the hash function keyed by the IV is
: weakly collision-resistant, then NMAC is a secure PRF. The
: results should be similar for HMAC. I agree that this is not
: proven explicitly in the BCK paper, but it should be easy to show.
:
: One could ask how reasonable it is to assume that the compression
: function (when keyed by using the key as its IV) is a secure PRF
: and not just a secure MAC. However, it seems like a fairly
: reasonable assumption, and so what folks are doing in practice
: seems fairly supportable by the theory.
Note that the above argument requires only the assumption that
SHA's compression function acts as a secure PRF *for single-block
messages*. No assumption is made about whether SHA is a secure
PRF (whatever that would mean) for *multiple-block* messages.
Since IKE might potentially use SHA on messages long enough that
they don't fit in a single block, this distinction is important.
Again, let me express my opinion that Hugo and Ran are (as usual)
100% correct. They've hit the nail on the head here.
-- David