[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Summary of key derivation thread

To: ipsec@lists.tislabs.com
Subject: Re: Summary of key derivation thread
From: daw@mozart.cs.berkeley.edu (David Wagner)
Date: 5 Dec 2002 22:38:35 GMT
Distribution: isaac
Newsgroups: isaac.lists.ipsec
Organization: University of California, Berkeley
References: <200212051428.JAA34568@ornavella.watson.ibm.com> <3DEF8A1E.D988B6E3@bell-labs.com>
Sender: owner-ipsec@lists.tislabs.com

Uri Blumenthal  wrote:
>Now, the analysis (as far as I know) was done for the MAC case. There
>was no analysis done for PRF, and in any case in order to use HMAC as
>a secure PRF you'd need to assume that SHA is a secure PRF. But if it
>is so (i.e. if SHA is a secure PRF) - then you don't need the extras
>that HMAC provides.

Uri,

That's not correct.  It is reasonable to view HMAC as a PRF,
but it is not reasonable to view SHA as a secure PRF (actually,
I'm not sure what the latter would mean, but it doesn't matter).

Anyway, what you say is wrong.  There are good reasons to use
SHA-HMAC instead of plain SHA in this setting.

I've explained this before, but I'll do it again.  Let me
cut-and-paste from an earlier email to you:

: It's true that the original Bellare/Canetti/Krawczyk paper only
: gave security theorems for HMAC as a MAC, and didn't analyze HMAC
: as a PRF.  However, it's not too hard to adapt their theorems.
: Basically, if the keyed compression function is a secure PRF
: on single-block messages and the hash function keyed by the IV is
: weakly collision-resistant, then NMAC is a secure PRF.  The
: results should be similar for HMAC.  I agree that this is not
: proven explicitly in the BCK paper, but it should be easy to show.
: 
: One could ask how reasonable it is to assume that the compression
: function (when keyed by using the key as its IV) is a secure PRF
: and not just a secure MAC.  However, it seems like a fairly
: reasonable assumption, and so what folks are doing in practice
: seems fairly supportable by the theory.

Note that the above argument requires only the assumption that
SHA's compression function acts as a secure PRF *for single-block
messages*.  No assumption is made about whether SHA is a secure
PRF (whatever that would mean) for *multiple-block* messages.
Since IKE might potentially use SHA on messages long enough that
they don't fit in a single block, this distinction is important.

Again, let me express my opinion that Hugo and Ran are (as usual)
100% correct.  They've hit the nail on the head here.

-- David

Follow-Ups:
- Re: Summary of key derivation thread
  - From: Uri Blumenthal <uri@bell-labs.com>

References:
- Re: Summary of key derivation thread
  - From: Ran Canetti <canetti@watson.ibm.com>
- Re: Summary of key derivation thread
  - From: Uri Blumenthal <uri@bell-labs.com>

Prev by Date: Re: <none>
Next by Date: Re: Summary of key derivation thread
Prev by thread: Re: Summary of key derivation thread
Next by thread: Re: Summary of key derivation thread
Index(es):
- Date
- Thread