Download presentation
Presentation is loading. Please wait.
1
Discussion of Some Letter Ballot 52 Comments
March 2003 Discussion of Some Letter Ballot 52 Comments Jesse Walker, Intel Corporation Jesse Walker, Intel Corporation
2
Agenda PRF Weakness Entropy Reduction Issues
March 2003 Agenda PRF Weakness Entropy Reduction Issues Inconsistency with draft NIST SP Discussion Straw Poll Jesse Walker, Intel Corporation
3
802.11 PRF Definition 802.11-PRF(K, A, B, Len) R “”
March 2003 PRF Definition PRF(K, A, B, Len) R “” for i 0 to (Len+159)/160 do R R || HMAC-SHA-1(K, A || 0 || B || i) return first Len octets of R Jesse Walker, Intel Corporation
4
PRF Weakness PRF is subject to prefix attacks
March 2003 PRF Weakness PRF is subject to prefix attacks Rules say never reuse PRF with same parameter But if an attacker can force reuse, we’re hosed Common Solution to this problem: Mix length of derived key to the derivation for i 0 to (Len+159)/160 do R R || HMAC-SHA-1(K, A || 0 || B || i || Len) return first Len octets of R Jesse Walker, Intel Corporation
5
Entropy Reduction Issue
March 2003 Entropy Reduction Issue We use a 256-bit key for key derivation PRF based on HMAC-SHA-1 HMAC begins by SHA-1 hashing keys longer than 160 bits This means derived keys have at most 160 bits of entropy Alternative: use AES-CBC-MAC with 256-bit keys May avoid a new crypto primitive Jesse Walker, Intel Corporation
6
Inconsistency with draft NIST SP 800-56
March 2003 Inconsistency with draft NIST SP Draft of NIST SP Clause 5.3: NIST-PRF(Key, ID1, ID2, OptionalData, keysize) uint32 Counter 1 j ceiling(keysize/Hashsize) R “” for i = 1 to j do R R | H(Key | Counter | ID1 | ID2 | OptionalData) Counter Counter + 1 return first keysize bits of R H = SHA-1, SHA-256, SHA-384 or SHA-512 Jesse Walker, Intel Corporation
7
Discussion NIST PRF is simpler than ours
March 2003 Discussion NIST PRF is simpler than ours NIST PRF is cheaper than ours when H = SHA-1 NIST PRF can take advantage of 256 bit key when H = SHA-256, SHA-384, or SHA-512 SHA-512 gives us full benefit of 256 PTK But SP is only draft, and we can submit comments until April 2 Jesse Walker, Intel Corporation
8
Straw Poll Replace 802.11 PRF with NIST PRF with
March 2003 Straw Poll Replace PRF with NIST PRF with ID1 = Authenticator-MAC-Addr ID2 = Supplicant-MAC-Addr OptionalData = ANonce | SNonce | keysize H = SHA-1 Same question with H = SHA-512 instead Same question with H = AES-CBC-MAC with feedback to NIST Jesse Walker, Intel Corporation
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.