questions on RFC2631 and DH key agreement

Hal Finney hal at finney.org
Thu Feb 7 22:15:33 EST 2008 

Hi Jeff -
> How wise (in a real-world sense) is it, in a protocol specification, to 
> specify that one simply obtain an ostensibly random value, and then use that 
> value directly as the signature key in, say, an HMAC-based signature, without 
> any further stipulated checking and/or massaging of the value before such use?

I think it's OK, as long as it is understood that the random number
generator should be of good quality. If it is not, I don't know that
checking and/or massaging will help much.

> E.g., here's such a specfication excerpt and is absolutely everything said in 
> the spec wrt obtaining said signature keys:
>
>   When generating MAC keys, the recommendations in [RFC1750] SHOULD be 
> followed.

One point, RFC1750 has been superceded by RFC4086.

>   ...
>   The quality of the protection provided by the MAC depends on the randomness of
>   the shared MAC key, so it is important that an unguessable value be used.
>
> How (un)wise is this, in a real-world sense? 

It seems pretty reasonable to me. They are referring to an RFC with
lots of good advice about random number generators, and they emphasize
that the key value should be unguessable. It's probably out of scope to
go into a lot more detail than that. Referring to other standards like
RFC1750/4086 is the right way to handle this kind of issue.

> [yes, I'm aware that using a only a SHOULD here leaves a huge door open 
> compliance-wise, but that's a different issue]

I am the co-author of the OpenPGP Standard, RFC4880. All we say is:

       The sending OpenPGP generates a random number to be used as a
       session key for this message only.

and

   * Certain operations in this specification involve the use of random
     numbers.  An appropriate entropy source should be used to generate
     these numbers (see [RFC4086]).

Not all that different in thrust than the spec you are looking at.

Hal

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list