[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

*To*: ipsec@xxxxxxxxxxxxxxxxx*Subject*: Re: AES-based PRF for IKEv2*From*: daw@xxxxxxxxxxxxxxxxxxxxxx (David Wagner)*Date*: 21 Mar 2003 17:24:18 GMT*Distribution*: isaac*Newsgroups*: isaac.lists.ipsec*Organization*: University of California, Berkeley*References*: <>*Sender*: owner-ipsec@xxxxxxxxxxxxxxxxx

Uri Blumenthal wrote: >Here's a proposal for an AES-based PRF that takes variable-length >input and produces variable-length output. [...] >Two parameters - one is secret, the other one may be >known. No assumption on the quality of randomness of >either one is made. Assume that S is secret and N is >known. No limitation on size of S, N. [...] > 1. Fill the key-buffer with S. If S is shorter than > the key-buffer, pad the key buffer with zeroes. [...] >A block cipher being a Pseudo Random Permutation, if the >S parameter is secret, the following hold true: > > - output of (3) is pseudo-random. > - output of (5) is pseudo-random. I don't think your security claims are quite right. You've padded the key with zeros. As a result, you need a stronger assumption than that the block cipher is a pseudorandom permutation. A pseudorandom permutation only guarantees that the cipher is strong for uniformly random keys, not for keys padded with zeros and not for keys with poor-quality randomness. For instance, suppose E_k(x) is a block cipher with 256-bit key that acts as the identity function when the last 128 bits of k are zero, but otherwise acts as a secure block cipher. Then E_k(x) will be a pseudorandom permutation (with security parameter 2^-128), but your construction will be totally insecure when used with E_.(.) if S is 128 bits long (or shorter). Given your assumptions on S and N, I suspect you're really going to need to use a hash function. (Otherwise, you'll have to use some very strong assumptions about the block cipher -- e.g., the ideal cipher model -- but I definitely do not recommend doing so.)

**Follow-Ups**:**Re: AES-based PRF for IKEv2***From:*Uri Blumenthal

**References**:**AES-based PRF for IKEv2***From:*Uri Blumenthal

- Prev by Date:
**Re: Do ipsec vendors care about privacy?** - Next by Date:
**Re: Secure remote access with IPsec** - Previous by thread:
**AES-based PRF for IKEv2** - Next by thread:
**Re: AES-based PRF for IKEv2** - Index(es):