Presentation is loading. Please wait.

Presentation is loading. Please wait.

Discussion of Some Letter Ballot 52 Comments

Published byNelson Wood Modified over 6 years ago

Similar presentations

Presentation on theme: "Discussion of Some Letter Ballot 52 Comments"— Presentation transcript:

1 Discussion of Some Letter Ballot 52 Comments
March 2003 Discussion of Some Letter Ballot 52 Comments Jesse Walker, Intel Corporation Jesse Walker, Intel Corporation

2 Agenda PRF Weakness Entropy Reduction Issues
March 2003 Agenda PRF Weakness Entropy Reduction Issues Inconsistency with draft NIST SP Discussion Straw Poll Jesse Walker, Intel Corporation

3 802.11 PRF Definition 802.11-PRF(K, A, B, Len) R  “”
March 2003 PRF Definition PRF(K, A, B, Len) R  “” for i  0 to (Len+159)/160 do R  R || HMAC-SHA-1(K, A || 0 || B || i) return first Len octets of R Jesse Walker, Intel Corporation

4 PRF Weakness PRF is subject to prefix attacks
March 2003 PRF Weakness PRF is subject to prefix attacks Rules say never reuse PRF with same parameter But if an attacker can force reuse, we’re hosed Common Solution to this problem: Mix length of derived key to the derivation for i  0 to (Len+159)/160 do R  R || HMAC-SHA-1(K, A || 0 || B || i || Len) return first Len octets of R Jesse Walker, Intel Corporation

5 Entropy Reduction Issue
March 2003 Entropy Reduction Issue We use a 256-bit key for key derivation PRF based on HMAC-SHA-1 HMAC begins by SHA-1 hashing keys longer than 160 bits This means derived keys have at most 160 bits of entropy Alternative: use AES-CBC-MAC with 256-bit keys May avoid a new crypto primitive Jesse Walker, Intel Corporation

6 Inconsistency with draft NIST SP 800-56
March 2003 Inconsistency with draft NIST SP Draft of NIST SP Clause 5.3: NIST-PRF(Key, ID1, ID2, OptionalData, keysize) uint32 Counter  1 j  ceiling(keysize/Hashsize) R  “” for i = 1 to j do R  R | H(Key | Counter | ID1 | ID2 | OptionalData) Counter  Counter + 1 return first keysize bits of R H = SHA-1, SHA-256, SHA-384 or SHA-512 Jesse Walker, Intel Corporation

7 Discussion NIST PRF is simpler than ours
March 2003 Discussion NIST PRF is simpler than ours NIST PRF is cheaper than ours when H = SHA-1 NIST PRF can take advantage of 256 bit key when H = SHA-256, SHA-384, or SHA-512 SHA-512 gives us full benefit of 256 PTK But SP is only draft, and we can submit comments until April 2 Jesse Walker, Intel Corporation

8 Straw Poll Replace 802.11 PRF with NIST PRF with
March 2003 Straw Poll Replace PRF with NIST PRF with ID1 = Authenticator-MAC-Addr ID2 = Supplicant-MAC-Addr OptionalData = ANonce | SNonce | keysize H = SHA-1 Same question with H = SHA-512 instead Same question with H = AES-CBC-MAC with feedback to NIST Jesse Walker, Intel Corporation

Download ppt "Discussion of Some Letter Ballot 52 Comments"

Similar presentations

Doc.: IEEE 802.11-01/147March 2000 TGe SecuritySlide 1 The Status of TGe S Draft Text Jesse Walker Intel Corporation (503) 712-1849.

Doc.: IEEE /147March 2000 TGe SecuritySlide 1 The Status of TGe S Draft Text Jesse Walker Intel Corporation (503)
GOPAS TechEd 2012 PKI Design Ing. Ondřej Ševeček | GOPAS a.s. |

GOPAS TechEd 2012 PKI Design Ing. Ondřej Ševeček | GOPAS a.s. |
Doc.: IEEE 802.11-00/037 Submission March 2000 Duncan Kitchin, Jesse Walker, Intel NIDSlide 1 Proposal for Enhanced Encryption Duncan Kitchin Jesse Walker.

Doc.: IEEE /037 Submission March 2000 Duncan Kitchin, Jesse Walker, Intel NIDSlide 1 Proposal for Enhanced Encryption Duncan Kitchin Jesse Walker.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
CMSC 456 Introduction to Cryptography

CMSC 456 Introduction to Cryptography
Cryptography and Network Security Chapter 12 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 12 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Doc.: IEEE 802.11-04/0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.

Doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.
Doc.: IEEE 802.11-04/0476r2 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.

Doc.: IEEE /0476r2 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.
1 Strengthening Digital Signatures via Randomized Hashing Shai Halevi and Hugo Krawczyk IBM Research.

1 Strengthening Digital Signatures via Randomized Hashing Shai Halevi and Hugo Krawczyk IBM Research.
1 Standardizing Key Derivation Functions Hugo Krawczyk IBM Research Or: google kdf hmac.

1 Standardizing Key Derivation Functions Hugo Krawczyk IBM Research Or: google kdf hmac.
Class 4 Asymmetric Cryptography and Trusting Internal Components CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman

Class 4 Asymmetric Cryptography and Trusting Internal Components CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
Doc.: IEEE 802.11-04/0707r0 Submission July 2003 N. Cam-Winget, et alSlide 1 Establishing PTK liveness during re-association Nancy Cam-Winget, Cisco Systems.

Doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 1 Establishing PTK liveness during re-association Nancy Cam-Winget, Cisco Systems.
March 17, 2003 IETF #56, SAN FRANCISCO1 Compound Authentication Binding Problem (EAP Binding Draft) Jose Puthenkulam Intel Corporation (

March 17, 2003 IETF #56, SAN FRANCISCO1 Compound Authentication Binding Problem (EAP Binding Draft) Jose Puthenkulam Intel Corporation (
Doc.: IEEE 802.11-07/0293r0 Submission March 2007 Slide 1 TGr Key Derivation Functions Notice: This document has been prepared to assist IEEE 802.11. It.

Doc.: IEEE /0293r0 Submission March 2007 Slide 1 TGr Key Derivation Functions Notice: This document has been prepared to assist IEEE It.
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.

Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
Doc.: IEEE 802.11-03/657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.

Doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.
Should NIST Develop an Additional Version of GCM? July 26, 2007 Morris Dworkin, Mathematician Security Technology Group

Should NIST Develop an Additional Version of GCM? July 26, 2007 Morris Dworkin, Mathematician Security Technology Group
Doc.: IEEE 802.11-10/0964r0 Submission September 2010 David Halasz, AclaraSlide 1 Smart Grid and Key Lengths Date: 2010-08-09 Authors:

Doc.: IEEE /0964r0 Submission September 2010 David Halasz, AclaraSlide 1 Smart Grid and Key Lengths Date: Authors:
1 Randomized Hashing: Secure Digital Signatures without Collision Resistance Shai Halevi and Hugo Krawczyk IBM Research

1 Randomized Hashing: Secure Digital Signatures without Collision Resistance Shai Halevi and Hugo Krawczyk IBM Research
Message Authentication Code

Message Authentication Code

Similar presentations

Ads by Google