[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Use of AES as prf in IKEv2



Charlie_Kaufman@notesdev.ibm.com wrote:
> Hugo pointed out that the IKEv2 spec assumes that prf functions accept
> variable (and arbitrary) size keys, which won't always be the case. I
> thought the question was only theoretical because HMAC does and that was
> the only prf we defined.

(:-)  Defined for now!

> But I notice that we added an IKE Suite #5, which specifies: "AES-CBC MAC +
> XCBC integrity and prf". I'm having multiple problems parsing that. I think
> I know what AES-CBC MAC is as an integrity protection function. But what
> does "+ XCBC" mean and how do we feed two variable length inputs into this
> thing for the purpose of doing key expansion.

I think Suite #5 is a Good thing, but requires details to be fleshed out.

> And I'll bet no one really thought about how to use it with a variable
> length key for key expansion. IKEv2 computes SKEYSEED = prf ( Ni | Nr ,
> g^xy). Nonces are variable length. We could specify (as Hugo recommended)
> that each nonce be truncated at half the fixed key size. I'd be happier
> using SHA-1(Ni | Nr) truncated as the key. I'd be happier still saying that
> even if we're using AES-CBC + XCBC for integrity we still use SHA-1 as our
> prf. What do others think?

I think that using SHA in this context sucks. But am not ready YET to
offer an acceptable variable-input AES-based hash. Talk to y'all at
the meeting.