Matthew Toseland wrote:
> NewPacketFormat assumes that we can generate as many keys as we want from JFK
> securely. Is this true? JFK uses an HMAC with 0, 1, or 2, to generate the
> session key or the 2 internal keys it uses, but does not explicitly document
> the option to generate more keys by incrementing that number - and it refers
> to IKE key extension if you need more bits (it does *not* say increment the
> number and stick them together, as you might expect). Is it safe to do what
> we have planned, to get separate keys for each direction and in
> NewPacketFormat for the IV key and HMAC key?
Here's how Ferguson and Schneier do it in Practical Cryptography:
K is the master key for the channel
KeySendEnc = HASH (K || "Enc Alice to Bob")
KeyRecEnd = HASH (K || "Enc Bob to Alice")
KeySendAuth = HASH (K || "Auth Alice to Bob")
KeyRecAuth = HASH (K || "Auth Bob to Alice")
if (I am Bob) {
swap (KeySendEnc, KeyRecEnc)
swap (KeySendAuth, KeyRecAuth)
}
Chapter 8 of that book is really worth reading if you're starting work
on NewPacketFormat.
Cheers,
Michael
