Hi again Hannes,
On Aug 28, 2006, at 12:07 PM, David McGrew wrote:
Hi Hannes,
On Aug 28, 2006, at 11:43 AM, Hannes Tschofenig wrote:
Hi David,
thanks for your feedback.
If I read through it I get the impression that the IKEv2 selected
algorithms (as defined in RFC 4307) would not be allowed to go
forward. I wonder whether we put the bar a bit high here.
One might even get the impression that nobody read RFC 4307 before
it was published.
I think that it comes down to unfortunate timing. XCBC was
proposed to NIST but not adopted by them when it got picked up by
IKEv2; afterwards, XCBC got improved into OMAC. I believe that
IKEv2 re-used HMAC as a KDF out of a desire for compatibility with
IKEv1. NIST SP 800-56 Sec. 5.3 mandates a hash-based KDF; NIST
has made an exception for IKE and TLS, allowing their use in
FIPS-140 certified crypto modules, but AFAICT this exception is
specific to those protocols, and would not apply to GPSK. (I would
be happy to be wrong on this point.
OK, I think I get my wish :-) The most recent version of SP800-56
says in Sec. 5.8.3 that "the IKEv2 KDF of Section 5.8.3 and the PRF
TLS KDF of Section 5.8.4 are allowed; the use of one of these allowed
KDFs is to be used only when both parties agree on its use." Sounds
to me like the HMAC-based IKEv2 key derivation could be used in
applications like GPSK and get a FIPS-140 certification, which is
great news.
David
_______________________________________________
Emu mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/emu
