[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Use of AES as prf in IKEv2

To: Charlie_Kaufman@notesdev.ibm.com
Subject: Re: Use of AES as prf in IKEv2
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Tue, 18 Mar 2003 04:14:31 +0200 (IST)
cc: ipsec@lists.tislabs.com
In-Reply-To: <OFAD804FC5.47A1C20D-ON85256CE7.0014F828-85256CE7.00168186@notesdev.ibm.com>
Sender: owner-ipsec@lists.tislabs.com



> We could specify (as Hugo recommended)
> that each nonce be truncated at half the fixed key size. I'd be happier
> using SHA-1(Ni | Nr) truncated as the key. I'd be happier still saying that
> even if we're using AES-CBC + XCBC for integrity we still use SHA-1 as our
> prf.
> 
> What do others think?

Not clear that I qualify as "others" but let me express my view here. I am
always glad to see that you are a real fan of HMAC :), yet I do believe
that a serious, long-term, protocol must allow for use of other prf's.
Certainly prf's based on block ciphers. They may turn to be more secure
or more economic (as in the case of h/w implementations that want to save
a HMAC implementation). And, as you noted, we alreadyhave a block cipher
based prf in one of the ciphersuites.

I do not see a problem in requiring the nonces to be strongly random or
pseudorandom. Most implementation that are not able to produce good enough
nonces wil not produce strong enough DH exponents either (except, maybe,
if they generate those on-line). Yet, if this lack of quality randomness
is of real concern then you could opt to define the key as Ni xor Nr. 
The benefit here is that it is enough that one of the peers generates
a good (pseudo) random nonce for the xor to be good. The drawback is that
the responder can fix the xor to any value of his choice. I am not sure
that the latter is a real problem. After all if the (authenticated)
responder in a given session is corupted or malicious then there is no
much meaning to the security of that session. Moreover, contrary to some
seemingly popular belief, either peer can weaken the exchanged key via
their chosen DH exponents. (For example by chosing a 8-bit exponent...)

In any case, I would not leave it to an external per-prf specification to 
determine the way that the key is derived for use in the prf. This will 
probably create confusion and, in practice, will be a barrier to the use
of non-HMAC prfs.

Hugo

> 
>           --Charlie
> 
> Opinions expressed may not even be mine by the time you read them, and
> certainly don't reflect those of any other entity (legal or otherwise).
> 
>

Follow-Ups:
- Re: Use of AES as prf in IKEv2
  - From: Charlie_Kaufman@notesdev.ibm.com

References:
- Use of AES as prf in IKEv2
  - From: Charlie_Kaufman@notesdev.ibm.com

Prev by Date: Re: "Me Tarzan, You Jane" in IKEv2-05
Next by Date: Re: comments on ikev2 05 (editorial)
Prev by thread: Re: Use of AES as prf in IKEv2
Next by thread: Re: Use of AES as prf in IKEv2
Index(es):
- Date
- Thread