On Thu, 14 Jan 2016, Scott Fluhrer (sfluhrer) wrote:
Is it possible to use the already negotiated IKEv2 prf inside the modified crypto formulas? In this case they would look like:SKEYSEED = prf(prf(ppk, Ni) | prf(ppk, Nr), g^ir) (SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr) = prf+(SKEYSEED, prf(ppk, Ni) | prf(ppk, Nr) | SPIi | SPIr) and so on. I'm not a cryptographer, but it seems to me that this is safe, isn't it? In this case no additional negotiation is required since prf is negotiated in IKEv2 anyway and thus we would have algorithm agility in KDF for free.I like this -- I'm stealing this idea.
Note that using a hash of a hash is frowned upon. See the latest SLOTH on TLS for an example of a collision attack that used the fact that a hashed message got hashed again (unlike IKE which hashes only the data) Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
