[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Use of AES as prf in IKEv2

To: Andrew Krywaniuk <askrywan@hotmail.com>
Subject: Re: Use of AES as prf in IKEv2
From: Uri Blumenthal <uri@bell-labs.com>
Date: Thu, 13 Mar 2003 13:46:57 -0500
Cc: charlie_kaufman@notesdev.ibm.com, ipsec@lists.tislabs.com
Organization: Lucent Tehcnologies / Bell Labs
Original-CC: charlie_kaufman@notesdev.ibm.com, ipsec@lists.tislabs.com
References: <F12UG65JR6tz96iDXpd0000729a@hotmail.com>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02

Andrew Krywaniuk wrote:
> Some claim that the rationale for using AES for MAC'ing in addition to 
> symmetric crypto is to reduce the code footprint. Using SHA to pre-hash 
> the key would defeat that.

Yes to both. We could use AES for hashing as well.


> If truncating the nonces is lossy (which is only true if your PRNG is 
> bad) then why not just use XOR? [Assume 128 bit AES.] Divide up the 
> keystream into 128 bit blocks and XOR them all together.

???

> If someone is going to claim that XORing the 2 nonces together is 
> insecure, then you could still XOR the nonces into two separate 64 bit 
> blocks.

This sounds much better.

References:
- Re: Use of AES as prf in IKEv2
  - From: "Andrew Krywaniuk" <askrywan@hotmail.com>

Prev by Date: Re: Another field for traffic selector?
Next by Date: Re: Use of AES as prf in IKEv2
Prev by thread: Re: Use of AES as prf in IKEv2
Next by thread: oakley groups
Index(es):
- Date
- Thread