[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IKEv2 use of HMAC-SHA-1 for Key Derivation

To: ipsec@xxxxxxxxxxxxxxxxx
Subject: IKEv2 use of HMAC-SHA-1 for Key Derivation
From: Russ Housley <housley@xxxxxxxxxxxx>
Date: Tue, 26 Nov 2002 09:42:20 -0500
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

On pages 23 and 33 of draft-ietf-ipsec-ikev2-03.txt, there is a discussion of the use of HMAC-SHA1 for key derivation. I have no doubt that this construction is secure, but I do wonder if it is overkill.

HMAC-SHA1 was designed as a packet integrity mechanism. The designers needed to deal with many concerns that are not obviously (at least to me) needed to generate a good key derivation function.

Can anyone tell me the properties HMAC-SHA1 that are needed here that are not otherwise provided by a straightforward application of SHA1?

Putting it another way, the current document uses:

   T1 = HMAC-SHA1(K, S | 0x01)
   T2 = HMAC-SHA1(K, T1 | S | 0x02)
   T3 = HMAC-SHA1(K, T2 | S | 0x03)
   T4 = HMAC-SHA1(K, T3 | S | 0x04)

What needed property does this construction have that is not provided by the following?

   T1 = SHA1(K, S | 0x01)
   T2 = SHA1(K, T1 | S | 0x02)
   T3 = SHA1(K, T2 | S | 0x03)
   T4 = SHA1(K, T3 | S | 0x04)

Thanks for any insights that can be provided.

Russ

Follow-Ups:
- Re: IKEv2 use of HMAC-SHA-1 for Key Derivation
  - From: Hugo Krawczyk
- Re: IKEv2 use of HMAC-SHA-1 for Key Derivation
  - From: The Purple Streak, Hilarie Orman

Prev by Date: NAT Traversal in IKEv2
Next by Date: Re: Rekey of IKE-SA
Previous by thread: How important is identity protecton?
Next by thread: Re: IKEv2 use of HMAC-SHA-1 for Key Derivation
Index(es):
- Date
- Thread