Re: comments on ikev2 05 (editorial)

[Charlie_Kaufman@notesdev.ibm.com]

This is also related to prf functions with fixed length keys. I had
proposed that the AUTH payload be computed as:

AUTH = prf(Shared Secret | "Key Pad for IKEv2", <message bytes>)

which won't work if the prf has a fixed size key. Hugo proposed the
alternative encoding:

AuthSecret = prf( prf(Shared Secret, "Key Pad for IKEv2") , <message
bytes>)

and using that encoding whether or not the prf takes a fixed size key
(presumably with Shared Secret padded or truncated as necessary to match
the fixed key size).

I'm happy with that. Any objections?

          --Charlie

Opinions expressed may not even be mine by the time you read them, and
certainly don't reflect those of any other entity (legal or otherwise).

> Yes. I now understand.
> However, this is too much of HMAC-centric thinking.
> In your above proposal you are assuming an arbitrary key-length prf,
> which is not the general case as discussed in realtion to the Ni|Nr
> issue (to which I answered separately).
>
> Here, there is a (mathematically) cleaner way to achieve what you want.
> Assuming that SharedSecret is suitable as key to a prf, then you can
> define AuthSecret = prf(SharedSecret, "Key Pad for IKEv2")
> and AUTH = prf(AuthSecret, <message bytes>).
>
> Note that in this way you make it clear that it suffices to keep the
value
> AuthSecret in memory (rather than Shared Secret) for authentication
> (thus achieveing the password protection you intended)