1 Standardizing Key Derivation Functions Hugo Krawczyk IBM Research Or: google kdf hmac.

Slides:



Advertisements
Similar presentations
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Advertisements

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Transport Layer Security (TLS) Bill Burr November 2, 2001.
1 Hugo Krawczyk IBM Research Asiacrypt’ An exciting journey… This talk reflects my personal journey between theory and practice I will focus on.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
CMSC 456 Introduction to Cryptography
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Lecture 23 Symmetric Encryption
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.
Dan Boneh Odds and ends Key Derivation Online Cryptography Course Dan Boneh.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
TLS 1.2 and NIST SP A Tim Polk November 10, 2006.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
HASH Functions.
Message Authentication  message authentication is concerned with: protecting the integrity of a message protecting the integrity of a message validating.
Message Authentication Requirements Disclosure Release of message contents to any person or process not possessing the appropriate cryptographic key Traffic.
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
Hardness Assumptions Related to Ad-Hoc Constructions Shai Halevi February 22, 2007.
Key Management Workshop November 1-2, Cryptographic Algorithms, Keys, and other Keying Material  Approved cryptographic algorithms  Security.
CS 4/585: Cryptography Tom Shrimpton FAB
Towards Automated Security Proof for Symmetric Encryption Modes Martin Gagné Joint work with Reihaneh Safavi-Naini, Pascal Lafourcade and Yassine Lakhnech.
Message Authentication Code July Message Authentication Problem  Message Authentication is concerned with:  protecting the integrity of a message.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
Chapter 21 Public-Key Cryptography and Message Authentication.
Cryptography Team Presentation 2
EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 2 – Cryptographic.
Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6 Yevgeniy Dodis Leonid Reyzin.
1 Strengthening Digital Signatures via Randomized Hashing Shai Halevi and Hugo Krawczyk IBM Research.
Lecture 2: Introduction to Cryptography
1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.
Lecture 23 Symmetric Encryption
1 /10 Pascal URIEN, IETF 72 rd, Monday July 28 th Dublin, Ireland draft-urien-tls-keygen-00.txt TLS Key Generation
Moving HIP to Standards Track Robert Moskowitz ICSAlabs an Independent Div of Verizon Business Systems March 25, 2010
PKCS #5: Password-Based Cryptography Standard
Cryptographic Hash Functions
ANSI X9.44 and IETF TLS Russ Housley and Burt Kaliski RSA Laboratories November 2002.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
Should NIST Develop an Additional Version of GCM? July 26, 2007 Morris Dworkin, Mathematician Security Technology Group
TLS PRF Considered Harmful Issues with implementing Hardware Security Module Support for TLS.
PKCS #5 v2.0: Password-Based Cryptography Standard
Real-life cryptography Pfeiffer Alain.  Types of PRNG‘s  History  General Structure  User space  Entropy types  Initialization process  Building.
1 Randomized Hashing: Secure Digital Signatures without Collision Resistance Shai Halevi and Hugo Krawczyk IBM Research
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.
Chapter 12 – Hash Algorithms
Cryptography Lecture 13.
Cryptography Lecture 12.
ATTACKS ON WINZIP ENCRYPTION
Cryptography Lecture 19.
Discussion of Some Letter Ballot 52 Comments
Cryptography Lecture 14.
Lecture 4.1: Hash Functions, and Message Authentication Codes
Cryptography Lecture 14.
Cryptography Lecture 13.
Cryptography Lecture 11.
Cryptography Lecture 13.
Cryptography Lecture 15.
Cryptography Lecture 15.
Blockchains Lecture 4.
Presentation transcript:

1 Standardizing Key Derivation Functions Hugo Krawczyk IBM Research Or: google kdf hmac

2 Key Derivation Functions (KDF) Everywhere: Key expansion, Key-exchange protocols, Physical RNGs, System PRNGs, Password-derived keys, Key encapsulation, key wrapping, hybrid PK systems, key hierarchies, etc. So what is it? Can we standardize a single multi-purpose scheme? Proliferation of ad-hoc schemes, no clear candidate for standardization, everyone invents its own scheme Time for action (part of cleaning the “ hash mess ” )  In particular: prudent use of hash functions, sound rationale

3 The proposed scheme (HMAC-based) (Similar to IKE ’ s KDF) Internet draft coming …

4 Paper with VERY detailed rationale Why this scheme Why common plain-hash designs should be avoided Focus on prudent use of hash functions and mathematical rationale Here: short summary, call for action Feedback welcome …

5 KDF: What is it? From “ Initial Source Key Material ” to one-or-more strong cryptographic keys (fixed size, “ close to uniform ” ) Source key material (many forms)  A random uniform string (or a strong cryptographic key): just a key expansion functionality (from one key to many)  An imperfect random number generator, an “ event sampler ”, etc: good amount of entropy but not in a uniform way (e.g. 160 bits of entropy “ trapped ” into a 1KB stream)  Output of a key exchange (e.g. Diffie-Hellman): comput ’ l entropy  Partial entropy, non-uniform, attacker has partial knowledge

6 KDF: Two Main Functionalities Key Expansion: Given a first cryptographically strong key derive more keys Key Extraction: Derive a first cryptographically strong key from an “ imperfect source of randomness ”  Imperfect RNG, system PRNG, Diffie-Hellman, etc. Two fundamentally different functionalities Often mixed/confused in ad-hoc KDF schemes (a recipe for weaknesses and pitfalls) Our approach: Extract-then-Expand

7 Key Expansion (the “easy” case) Given a first strong key derive more keys  K  K1, K2, K3 (e.g. keys for MAC, encryption, etc)  If K is cryptographically strong so should K1, K2, … be Independence: Knowing Ki should not help learning anything about Kj Standard implementation via PRF: e.g. Ki = PRF(K, i) Many think of KDF just as key expansion  Leads to weak designs: e.g., using DH value g xy as a PRF key (TLS) Simple, but often “ wrong ” (no binding, weak use of hash, etc), and non-standardized

8 Key Extraction (the challenge) Source key material --> Extractor --> Output  uniform  From partial randomness to strong crypto key Extractor: a well-known notion in complexity theory Here: cryptographic instantiation for KDFs ( HMAC-based ) Deterministic vs non-deterministic extractors  Using random salt in the extractor computation allows for much stronger properties ( “ generic extractor ”, enforces independnce)  Salt: random but non-secret (similar to an IV) and reusable! We will use it optionally if available (e.g., RNG, key exchange)

9 Extract-then-Expand Extract-then-Expand: Our basic design paradigm Two well differentiated modules, for the two well differentiated functionalities Modules are orthogonal and replaceable But can implement with same underlying cryptographic primitive: hash functions or block ciphers Our specific hash-based proposal uses HMAC for both

10 Generic Extract-then-Expand KDF K prf = Extract(salt, skm) skm= source key material Keys = Expand(K prf, Keys-length, ctxt_info). OR Binds key to the application “ context ” optional

11 HMAC-based Implementation (HMAC as extractor and PRF) K prf = HMAC(salt, skm) skm= source key material Keys = HMAC(K prf, Keys-length, ctxt_info) where Keys = K 1 || K 2 || … where K i+1 = HMAC(K prf, K i || ctxt_info || i) (HMAC in “ feedback mode ” – which I prefer to counter mode). OR First parameter is hmac ’ s key (can set salt to 0)

12 Why HMAC Prudent use of hash, minimize “ magic ”, proven structure  Supports both PRF (traditional use) and extraction A “ property preserving ” mode: extractor, PRF, random oracle  none of these achieved by plain hash  supported by recent crypto literature With and without key, with and without salt Can replace HMAC with new “ property preserving ” modes (SHA3 competiton), even block ciphers

13 Traditional Approach to KDF Plain hash (not HMAC ) used as both extractor and PRF  Plain hash is neither (even if the compression function is purely random) No separation extract/expand: all folded into one “ ideal hash ” At a minimum a reasonable KDF should fare well as an expanding PRF (e.g., when skm is random)  But above scheme uses the weak “ key-prepended ” PRF mode Scheme is unsuited as extractor  Repeated extraction from same skm dilutes entropy  Correlated inputs break even information-theoretic extractors Does not accommodate salt even if available Hash(skm || “ 1 ” || info) ||... || Hash(skm || “ t ” || info)

14 NIST Variant (SP A) The traditional approach with a swapped counter  Exemplifies the ad-hoc nature of these designs  As PRF: a bad combination of key-prepended and key-appended modes pitfall: in an ideal hash the position of the key is unimportant  Apparently intended to counter the attack against Hash(skm || i): Can break KDF with a guessing attacks even if skm much longer The illusion of > 160-bit security with a 160-bit hash ( nist does not claim >160) Also: NIST function is “ over-specified ” (even for key exchange):  mandates inclusion of identities as part of “ info ” Recent KDF draft: deals with expansion only Hash( “ 1 ” || skm || info) ||... || Hash( “ t ” || skm || info)

15 Cautionary Note Everything is “ correct ” when Hash is treated as purely random Idealization leads to wrong designs (e.g., all key positions equal) Even if a compression function is random, its M-D iteration is not (not even a good extractor!) In contrast: HMAC preserves the compression function randomness

16 Summary KDF: a fundamental ubiquitous cryptographc component So far, most designs ad-hoc and “ abuse ” hash functions The extract-then-expand paradigm as a better approach  Sound mathematics, prudent engineering Simple instantiation using HMAC  Minimize complexity, mechanisms, and assumptions Comparison and lessons from alternative schemes Ready for standardization

17 Any interest? How do we proceed from here? More details/rationale: (internet draft coming...)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.