On 2/12/20 12:50 PM, Jeff Ahrenholz wrote:
Looking at Section 6.3 HIP DEX KEYMAT Generation, it discusses
using Diffie-Hellman derived key Kij, but I don't see anything
about using I_NONCE. There is a random #I provided by the
Responder from the PUZZLE parameter, but nothing about a
random I_NONCE supplied by the Initiator.
In 6.3:
IKM Input keying material
the Diffie-Hellman derived key, concatenated with the
random I_NONCE value for the Master Key SA
the Diffie-Hellman derived key, concatenated with the
random values of the ENCRYPTED_KEY parameters in
the same order as the HITs with sort(HIT-I | HIT-R)
for the Pair-wise Key SA The key derivation for the
Master Key SA employs always both the
Extract and Expand phases. The Pair-wise Key SA needs only the
Extract phase when key is smaller or equal to 128 bits, but otherwise
requires also the Expand phase.
The CKDF-Extract function is the following operation:
Moskowitz, et al. Expires August 15, 2020 [Page 32]
�
Internet-Draft HIP Diet EXchange (DEX) February 2020
CKDF-Extract(I, IKM, info) -> PRK
Inputs:
I Random #I, provided by the Responder, from the PUZZLE
parameter
IKM Input keying material
the Diffie-Hellman derived key, concatenated with the
random I_NONCE value for the Master Key SA
the Diffie-Hellman derived key, concatenated with the
random values of the ENCRYPTED_KEY parameters in
the same order as the HITs with sort(HIT-I | HIT-R)
for the Pair-wise Key SA
info sort(HIT-I | HIT-R) | "CKDF-Extract"
where "CKDF-Extract" is an octet string
Output:
PRK a pseudorandom key (of RHASH_len/8 octets)
The pseudorandom key PRK is calculated as follows:
PRK = CMAC(I, IKM | info)
The CKDF-Expand function is the following operation:
Moskowitz, et al. Expires August 15, 2020 [Page 33]
�
Internet-Draft HIP Diet EXchange (DEX) February 2020
CKDF-Expand(PRK, info, L) -> OKM
Inputs:
PRK a pseudorandom key of at least RHASH_len/8 octets
(either the output from the extract step or the
concatenation of the random values of the
ENCRYPTED_KEY parameters in the same order as the
HITs with sort(HIT-I | HIT-R) in case of no extract)
info sort(HIT-I | HIT-R) | "CKDF-Expand"
where "CKDF-Expand" is an octet string
L length of output keying material in octets
(<= 255*RHASH_len/8)
Output:
OKM output keying material (of L octets)
The output keying material OKM is calculated as follows:
N = ceil(L/(RHASH_len/8))
T = T(1) | T(2) | T(3) | ... | T(N)
OKM = first L octets of T
where
T(0) = empty string (zero length)
T(1) = CMAC(PRK, T(0) | info | 0x01)
T(2) = CMAC(PRK, T(1) | info | 0x02)
T(3) = CMAC(PRK, T(2) | info | 0x03)
...
Is this a new table row, or maybe something happened to the output?
Look at it in the draft, it does not format so well in a message.
It looks good.
In the dex-12 html/text versions I'm seeing the following text, which does not
list IKM or info inputs for CKDF-Extract:
The CKDF-Extract function is the following operation:
CKDF-Extract(I, IKM, info) -> PRK
Inputs:
I Random #I, provided by the Responder, from the PUZZLE
parameter
The CKDF-Expand function is the following operation:
Moskowitz, et al. Expires August 12, 2020 [Page 32]
Internet-Draft HIP Diet EXchange (DEX) February 2020
CKDF-Expand(PRK, info, L) -> OKM
Inputs:
PRK a pseudorandom key of at least RHASH_len/8 octets
(either the output from the extract step or the
concatenation of the random values of the
ENCRYPTED_KEY parameters in the same order as the
HITs with sort(HIT-I | HIT-R) in case of no extract)
info sort(HIT-I | HIT-R) | "CKDF-Expand"
where "CKDF-Expand" is an octet string
L length of output keying material in octets
(<= 255*RHASH_len/8)
Oh, oh. I checked https://www.ietf.org/id/draft-ietf-hip-dex-12.txt and
you are right and it is wrong.
Miika? Something went wrong from what I sent and what got posted. Here
is what I have from running xml2rfc locally on the xml:
=============================================
The key derivation for the Master Key SA employs always both the
Extract and Expand phases. The Pair-wise Key SA needs only the
Extract phase when key is smaller or equal to 128 bits, but otherwise
requires also the Expand phase.
The CKDF-Extract function is the following operation:
Moskowitz, et al. Expires August 15, 2020 [Page 32]
�
Internet-Draft HIP Diet EXchange (DEX) February 2020
CKDF-Extract(I, IKM, info) -> PRK
Inputs:
I Random #I, provided by the Responder, from the PUZZLE
parameter
IKM Input keying material
the Diffie-Hellman derived key, concatenated with the
random I_NONCE value for the Master Key SA
the Diffie-Hellman derived key, concatenated with the
random values of the ENCRYPTED_KEY parameters in
the same order as the HITs with sort(HIT-I | HIT-R)
for the Pair-wise Key SA
info sort(HIT-I | HIT-R) | "CKDF-Extract"
where "CKDF-Extract" is an octet string
Output:
PRK a pseudorandom key (of RHASH_len/8 octets)
The pseudorandom key PRK is calculated as follows:
PRK = CMAC(I, IKM | info)
The CKDF-Expand function is the following operation:
Moskowitz, et al. Expires August 15, 2020 [Page 33]
�
Internet-Draft HIP Diet EXchange (DEX) February 2020
CKDF-Expand(PRK, info, L) -> OKM
Inputs:
PRK a pseudorandom key of at least RHASH_len/8 octets
(either the output from the extract step or the
concatenation of the random values of the
ENCRYPTED_KEY parameters in the same order as the
HITs with sort(HIT-I | HIT-R) in case of no extract)
info sort(HIT-I | HIT-R) | "CKDF-Expand"
where "CKDF-Expand" is an octet string
L length of output keying material in octets
(<= 255*RHASH_len/8)
Output:
OKM output keying material (of L octets)
The output keying material OKM is calculated as follows:
N = ceil(L/(RHASH_len/8))
T = T(1) | T(2) | T(3) | ... | T(N)
OKM = first L octets of T
where
T(0) = empty string (zero length)
T(1) = CMAC(PRK, T(0) | info | 0x01)
T(2) = CMAC(PRK, T(1) | info | 0x02)
T(3) = CMAC(PRK, T(2) | info | 0x03)
...
_______________________________________________
Hipsec mailing list
Hipsec@ietf.org
https://www.ietf.org/mailman/listinfo/hipsec
