Security of DH key exchange
In practice the following method of exchanging keys using DH is used, to ensure
bit security of the resulting session key. If alice and bob exchange g^a and
g^b, the session key is defined as h(g^{ab}). This is mentioned in many
textbooks, but i can't find a reference to a paper discussing the security of
this in the following sense. If g^a etc. are computed over a field F of order
p, and h hashes F to {0,1}^n, under which conditions is h(g^{ab}) given g^a and
g^b indistinguishable from a randomly selected session key k? (where
indistinguishable would mean that the advantage of the adversary of
distinguishing h(g^{ab}) from k is negligible in _n_).
References to this are much appreciated.
Regards,
Jaap-Henk
--
Jaap-Henk Hoepman | I've got sunshine in my pockets
Dept. of Computer Science | Brought it back to spray the day
University of Nijmegen |Gry Rocket
(w) www.cs.kun.nl/~jhh | (m) [EMAIL PROTECTED]
(t) +31 24 36 52710/531532 | (f) +31 24 3653137
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Security of DH key exchange
- Original Message -
From: Jaap-Henk Hoepman [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, June 20, 2003 5:02 AM
Subject: Security of DH key exchange
In practice the following method of exchanging keys using DH is used, to
ensure
bit security of the resulting session key. If alice and bob exchange g^a
and
g^b, the session key is defined as h(g^{ab}). This is mentioned in many
textbooks, but i can't find a reference to a paper discussing the security
of
this in the following sense. If g^a etc. are computed over a field F of
order
p, and h hashes F to {0,1}^n, under which conditions is h(g^{ab}) given
g^a and
g^b indistinguishable from a randomly selected session key k? (where
indistinguishable would mean that the advantage of the adversary of
distinguishing h(g^{ab}) from k is negligible in _n_).
I don't know of any references that will explain this explicitly, but the
reasoning is simple: You model h as a random oracle, which would imply that
if the minimum entropy of g^(ab) is at least n bits, then h(g^{ab}) will be
indistinguishable from a value chosen randomly for the set of n-bit strings.
For information on general about DH, you can look at the following
manuscript:
http://crypto.cs.mcgill.ca/~stiglic/Papers/dhfull.pdf
--Anton
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: authentication and ESP
In message [EMAIL PROTECTED], martin f krafft writes : As far as I can tell, IPsec's ESP has the functionality of authentication and integrity built in: RFC 2406: 2.7 Authentication Data The Authentication Data is a variable-length field containing an Integrity Check Value (ICV) computed over the ESP packet minus the Authentication Data. The length of the field is specified by the authentication function selected. The Authentication Data field is optional, and is included only if the authentication service has been selected for the SA in question. The authentication algorithm specification MUST specify the length of the ICV and the comparison rules and processing steps for validation. To my knowledge, IPsec implementations use AH for signing though. Why do we need AH, or why is it preferred? Thanks for your clarification! The question has been asked quite often. The short answer is that AH protects parts of the preceeding IP header, which ESP doesn't do. I did an analysis many years ago which showed that everything in the AH header was either unprotectable, irrelevant, or protected in some other fashion. But the question has been re-opened, notably with regard to protecting Neighbor Discover in IPv6. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of Firewalls book) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
