NIST spec for hash-based key derivation.

To: ietf-ssh%netbsd.org@localhost
Subject: NIST spec for hash-based key derivation.
From: Bill Sommerfeld <sommerfeld%sun.com@localhost>
Date: Thu, 03 Nov 2005 13:59:04 -0500

Russ Housley sent the enclosed message to the saag%mit.edu@localhost list last
week
(SAAG is the IETF Security Area Advisory Group; it's a public list).
There's been some discussion on this which followed.

I took a look at this draft-dang-nistkdf-00, and the NIST draft SP
800-56 it references.  It specifies a method for using a hash function
to derive arbitrary-length session keys from a shared secret (such as
the result of a DH exchange).  In addition, Appendix B of the NIST draft
lists a few alternatives as well as a few design principles for KDF's.

At first glance it looks to me that the key derivation used in SSHv2
violates a few of these design principles. 

In addition, there's a secondary consideration for folks building
systems aimed at certain markets.  To quote from a later message in the
thread from Tim Polk:

        Since we currently don't have a standard, cryptomodules can 
	currently implement any KDF they choose.  Once this document is
	finalized, cryptomodules would be limited to "approved" KDFs (at
	least in FIPS mode).

I've asked Tim to ask NIST to look at the SSH KDF; I haven't heard back
from him but cryptographers usually take their time.

If people are interested in using SSH with FIPS-certified crypto modules
the path of least resistance may well be to define a new key exchange
which uses this KDF.

						- Bill


-----Forwarded Message-----
From: Russ Housley <housley%vigilsec.com@localhost>
To: saag%mit.edu@localhost
Subject: [saag] Hash-Based Key Derivation
Date: Tue, 25 Oct 2005 12:44:42 -0400

I wanted call your attention to an individual draft on "Hash-Based 
Key Derivation."

       http://www.ietf.org/internet-drafts/draft-dang-nistkdf-00.txt

This draft specifies a soon to be NIST-approved algorithm for 
deriving secret key material from a shared secret using a hash 
algorithm.  This algorithm is in the NIST draft SP 800-56.

I encourage review and comment.  If you have concerns with this 
document, then the concerns probably apply to he NIST draft SP 800-56 
document too.

I am considering sponsoring this document as an Informational 
RFC.  Please let me know if you have any concerns with this proposed action.

Thanks,
   Russ

_______________________________________________
saag mailing list
saag%mit.edu@localhost
https://jis.mit.edu/mailman/listinfo/saag

Follow-Ups:
- Re: NIST spec for hash-based key derivation.
  - From: Joseph Galbraith

Prev by Date: Re: Eyeballs needed.
Next by Date: Re: NIST spec for hash-based key derivation.
Previous by Thread: DSA keys larger than 1024 bits
Next by Thread: Re: NIST spec for hash-based key derivation.
Indexes:

Home | Main Index | Thread Index | Old Index