[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Summary of key derivation thread

To: ipsec@lists.tislabs.com
Subject: Re: Summary of key derivation thread
From: daw@mozart.cs.berkeley.edu (David Wagner)
Date: 6 Dec 2002 19:15:53 GMT
Distribution: isaac
Newsgroups: isaac.lists.ipsec
Organization: University of California, Berkeley
References: <200212051428.JAA34568@ornavella.watson.ibm.com> <3DEF8A1E.D988B6E3@bell-labs.com> <asokhb$u6o$1@abraham.cs.berkeley.edu> <3DF0557D.2314FC80@bell-labs.com>
Sender: owner-ipsec@lists.tislabs.com

Uri Blumenthal  wrote:
>David Wagner wrote:
>> That's not correct.  It is reasonable to view HMAC as a PRF,
>> but it is not reasonable to view SHA as a secure PRF.......
>
>Because of single-block vs. multiple-block issues?

Two reasons.  First, SHA takes one input, while a PRF takes two.
Second, F_k(x) = SHA(k || x) is not a secure PRF, because of
extension attacks.

If you want a PRF, SHA-HMAC is the "right" object, IMHO, not SHA.

References:
- Re: Summary of key derivation thread
  - From: Ran Canetti <canetti@watson.ibm.com>
- Re: Summary of key derivation thread
  - From: Uri Blumenthal <uri@bell-labs.com>
- Re: Summary of key derivation thread
  - From: daw@mozart.cs.berkeley.edu (David Wagner)
- Re: Summary of key derivation thread
  - From: Uri Blumenthal <uri@bell-labs.com>

Prev by Date: Re: speaking of keys
Next by Date: Re: speaking of keys
Prev by thread: Re: speaking of keys
Next by thread: Re: Summary of key derivation thread
Index(es):
- Date
- Thread