[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKEv2 use of HMAC-SHA-1 for Key Derivation
On Thu, 5 Dec 2002, Andrew Krywaniuk wrote:
> > > T1 = HMAC-SHA1(0x00 | K, S)
> > > T2 = HMAC-SHA1(0x01 | K, T1 | S)
> > > T3 = HMAC-SHA1(0x02 | K, T2 | S |
> > > T4 = HMAC-SHA1(0x03 | K, T3 | S )
> >
> >This doesn't help at all. You can still find K in 2^160 operations
> >(note that a guess can always be validated via the derived keys which
> >produce visible outputs in the protocol).
>
> This may be a tangent, but I just don't see how the above claim could be
> correct.
Simply because at this point of the jey derivation K=SKEYSEED which is
already 160-bit long!
>
>
> >There is no silliness here.
> >And, as I said, for those that want >160 bits there are longer key hash
> >functions to use
>
> The issue is that the new hash functions (such as SHA-2) are slow, and no
> one wants to implement them solely for the purpose of key derivation (since
> no one is asking for a stronger per-packet hash).
Come on. Whoever is worried about 2^160 Ccomplexity attack should at least
be willing to use a slower hash function. Did you think of what the
complexity of using a DH group of > 160 bit of security will be?
And you can also use AES-192...
Hugo
>
> Andrew
> --------------------------------------
> The odd thing about fairness is when
> we strive so hard to be equitable
> that we forget to be correct.
>
>
>
> _________________________________________________________________
> Add photos to your e-mail with MSN 8. Get 2 months FREE*.
> http://join.msn.com/?page=features/featuredemail
>
>