Security of DH key exchange
In practice the following method of exchanging keys using DH is used, to ensure bit security of the resulting session key. If alice and bob exchange g^a and g^b, the session key is defined as h(g^{ab}). This is mentioned in many textbooks, but i can't find a reference to a paper discussing the security of this in the following sense. If g^a etc. are computed over a field F of order p, and h hashes F to {0,1}^n, under which conditions is h(g^{ab}) given g^a and g^b indistinguishable from a randomly selected session key k? (where indistinguishable would mean that the advantage of the adversary of distinguishing h(g^{ab}) from k is negligible in _n_). References to this are much appreciated. Regards, Jaap-Henk -- Jaap-Henk Hoepman | I've got sunshine in my pockets Dept. of Computer Science | Brought it back to spray the day University of Nijmegen |Gry Rocket (w) www.cs.kun.nl/~jhh | (m) [EMAIL PROTECTED] (t) +31 24 36 52710/531532 | (f) +31 24 3653137 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Security of DH key exchange
- Original Message - From: Jaap-Henk Hoepman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 20, 2003 5:02 AM Subject: Security of DH key exchange In practice the following method of exchanging keys using DH is used, to ensure bit security of the resulting session key. If alice and bob exchange g^a and g^b, the session key is defined as h(g^{ab}). This is mentioned in many textbooks, but i can't find a reference to a paper discussing the security of this in the following sense. If g^a etc. are computed over a field F of order p, and h hashes F to {0,1}^n, under which conditions is h(g^{ab}) given g^a and g^b indistinguishable from a randomly selected session key k? (where indistinguishable would mean that the advantage of the adversary of distinguishing h(g^{ab}) from k is negligible in _n_). I don't know of any references that will explain this explicitly, but the reasoning is simple: You model h as a random oracle, which would imply that if the minimum entropy of g^(ab) is at least n bits, then h(g^{ab}) will be indistinguishable from a value chosen randomly for the set of n-bit strings. For information on general about DH, you can look at the following manuscript: http://crypto.cs.mcgill.ca/~stiglic/Papers/dhfull.pdf --Anton - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: authentication and ESP
In message [EMAIL PROTECTED], martin f krafft writes : As far as I can tell, IPsec's ESP has the functionality of authentication and integrity built in: RFC 2406: 2.7 Authentication Data The Authentication Data is a variable-length field containing an Integrity Check Value (ICV) computed over the ESP packet minus the Authentication Data. The length of the field is specified by the authentication function selected. The Authentication Data field is optional, and is included only if the authentication service has been selected for the SA in question. The authentication algorithm specification MUST specify the length of the ICV and the comparison rules and processing steps for validation. To my knowledge, IPsec implementations use AH for signing though. Why do we need AH, or why is it preferred? Thanks for your clarification! The question has been asked quite often. The short answer is that AH protects parts of the preceeding IP header, which ESP doesn't do. I did an analysis many years ago which showed that everything in the AH header was either unprotectable, irrelevant, or protected in some other fashion. But the question has been re-opened, notably with regard to protecting Neighbor Discover in IPv6. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of Firewalls book) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]