Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dan Boneh Odds and ends Key Derivation Online Cryptography Course Dan Boneh.

Published byIlene Potter Modified over 9 years ago

Similar presentations

Presentation on theme: "Dan Boneh Odds and ends Key Derivation Online Cryptography Course Dan Boneh."— Presentation transcript:

1 Dan Boneh Odds and ends Key Derivation Online Cryptography Course Dan Boneh

2 Dan Boneh Deriving many keys from one Typical scenario. a single source key (SK) is sampled from: Hardware random number generator A key exchange protocol (discussed later) Need many keys to secure session: unidirectional keys; multiple keys for nonce-based CBC. Goal: generate many keys from this one source key SK k 1, k 2, k 3, … KDF

3 Dan Boneh When source key is uniform F: a PRF with key space K and outputs in {0,1} n Suppose source key SK is uniform in K Define Key Derivation Function (KDF) as: CTX: a string that uniquely identifies the application KDF ( SK, CTX, L) := F ( SK, (CTX ll 0) ) ll F ( SK, (CTX ll 1) ) ll ⋯ ll F ( SK, (CTX ll L) ) KDF ( SK, CTX, L) := F ( SK, (CTX ll 0) ) ll F ( SK, (CTX ll 1) ) ll ⋯ ll F ( SK, (CTX ll L) )

4 Template vertLeftWhite2 What is the purpose of CTX? KDF ( SK, CTX, L) := F ( SK, (CTX ll 0) ) ll F ( SK, (CTX ll 1) ) ll ⋯ ll F ( SK, (CTX ll L) ) KDF ( SK, CTX, L) := F ( SK, (CTX ll 0) ) ll F ( SK, (CTX ll 1) ) ll ⋯ ll F ( SK, (CTX ll L) ) Even if two apps sample same SK they get indep. keys It’s good practice to label strings with the app. name It serves no purpose

5 Dan Boneh What if source key is not uniform? Recall: PRFs are pseudo random only when key is uniform in K SK not uniform ⇒ PRF output may not look random Source key often not uniformly random: Key exchange protocol: key uniform in some subset of K Hardware RNG: may produce biased output

6 Dan Boneh Extract-then-Expand paradigm Step 1: extract pseudo-random key k from source key SK step 2: expand k by using it as a PRF key as before prob SK prob k extractor salt salt: a fixed non-secret string chosen at random

7 Dan Boneh HKDF: a KDF from HMAC Implements the extract-then-expand paradigm: extract: use k HMAC( salt, SK ) Then expand using HMAC as a PRF with key k

8 Dan Boneh Password-Based KDF (PBKDF) Deriving keys from passwords: Do not use HKDF: passwords have insufficient entropy Derived keys will be vulnerable to dictionary attacks PBKDF defenses: salt and a slow hash function Standard approach: PKCS#5 (PBKDF1) H (c) (pwd ll salt): iterate hash function c times (more on this later)

9 Dan Boneh End of Segment

Download ppt "Dan Boneh Odds and ends Key Derivation Online Cryptography Course Dan Boneh."

Similar presentations

TCC 2006 Research on Password-Authenticated Group Key Exchange Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.) Kouchi Sakurai (Kyushu.

TCC 2006 Research on Password-Authenticated Group Key Exchange Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.) Kouchi Sakurai (Kyushu.
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.
ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted email, new key for every message.

Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted , new key for every message.
Trusted 3rd parties Basic key exchange

Trusted 3rd parties Basic key exchange
Online Cryptography Course Dan Boneh

Online Cryptography Course Dan Boneh
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Dan Boneh Stream ciphers Real-world Stream Ciphers Online Cryptography Course Dan Boneh.

Dan Boneh Stream ciphers Real-world Stream Ciphers Online Cryptography Course Dan Boneh.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.

Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.

Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 15 Implementation Flaws Part 3: Randomness and Timing Issues.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 15 Implementation Flaws Part 3: Randomness and Timing Issues.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.

Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

Similar presentations

Ads by Google