Matthew Toseland wrote:
> JFK is:
>
> Session key = H_<secret> { alice exponential, bob exponential, "2" }
> K_a = H_<secret> { alice exponential, bob exponential, "1" }
> K_e = H_<secret> { alice exponential, bob exponential, "2" }
>
> Where K_a and K_e are temporary keys used in phase 3 and 4.
>
> It's the same principle, it's just a question of whether it's safer to derive
> further keys from the session key or from the secret key (= g^xy).
From this and the Ferguson/Schneier snippet it looks like you can
generally derive any number of keys from a master key by hashing it with
different values, wouldn't you say?
(Actually I'm kind of surprised by this... ideally we'd like there to be
no relationship between the various keys but obviously there has to be a
relationship if the other keys are derived from the master, so the
problem is how to make sure the relationship isn't exploitable... I
didn't realise hash functions guaranteed to conceal the relationship
between the input and output, that sounds more like the guarantee
provided by a block cipher, so I would have though it would make more
sense to use a block cipher to derive the other keys... something like
k1=enc_k(1), k2=enc_k(2), etc... in other words CTR mode. But what do I
know?)
Cheers,
Michael
