IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
NIST spec for hash-based key derivation.
Russ Housley sent the enclosed message to the saag%mit.edu@localhost list last
week
(SAAG is the IETF Security Area Advisory Group; it's a public list).
There's been some discussion on this which followed.
I took a look at this draft-dang-nistkdf-00, and the NIST draft SP
800-56 it references. It specifies a method for using a hash function
to derive arbitrary-length session keys from a shared secret (such as
the result of a DH exchange). In addition, Appendix B of the NIST draft
lists a few alternatives as well as a few design principles for KDF's.
At first glance it looks to me that the key derivation used in SSHv2
violates a few of these design principles.
In addition, there's a secondary consideration for folks building
systems aimed at certain markets. To quote from a later message in the
thread from Tim Polk:
Since we currently don't have a standard, cryptomodules can
currently implement any KDF they choose. Once this document is
finalized, cryptomodules would be limited to "approved" KDFs (at
least in FIPS mode).
I've asked Tim to ask NIST to look at the SSH KDF; I haven't heard back
from him but cryptographers usually take their time.
If people are interested in using SSH with FIPS-certified crypto modules
the path of least resistance may well be to define a new key exchange
which uses this KDF.
- Bill
-----Forwarded Message-----
From: Russ Housley <housley%vigilsec.com@localhost>
To: saag%mit.edu@localhost
Subject: [saag] Hash-Based Key Derivation
Date: Tue, 25 Oct 2005 12:44:42 -0400
I wanted call your attention to an individual draft on "Hash-Based
Key Derivation."
http://www.ietf.org/internet-drafts/draft-dang-nistkdf-00.txt
This draft specifies a soon to be NIST-approved algorithm for
deriving secret key material from a shared secret using a hash
algorithm. This algorithm is in the NIST draft SP 800-56.
I encourage review and comment. If you have concerns with this
document, then the concerns probably apply to he NIST draft SP 800-56
document too.
I am considering sponsoring this document as an Informational
RFC. Please let me know if you have any concerns with this proposed action.
Thanks,
Russ
_______________________________________________
saag mailing list
saag%mit.edu@localhost
https://jis.mit.edu/mailman/listinfo/saag
Home |
Main Index |
Thread Index |
Old Index