[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Summary of key derivation thread
The high entropy problem can be solved without use of SHA-2. The
method I proposed is for condensing the D-H value down to more than
one internal key. Call these the CONDKEYs. Each one's length is the
length of the output of the hash function. You can use a prf or a
hash to derive them, but the prefix to hash must vary for each one.
Generate enough CONDKEYs so that their total length exceeds the entropy
of the DH exchange.
CONDKEY0 = intn_key_func(0x00 | DHVAL, some_other_stuff )
CONDKEY1 = intn_key_func(0x01 | DHVAL, some_other_stuff)
...
When deriving a long session key, use the CONDKEYs in sequence:
key_func(CONDKEY0, 0x00 | other_stuff)
key_func(CONDKEY1, 0x01 | other_stuff)
key_func(CONDKEY0, 0x02 | other_stuff)
...
For HMAC vs. hash, IKE uses HMAC to its advantage in authentication,
and that shouldn't be changed; it seems immaterial whether or not it
uses it for key derivation.
Hilarie