[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: KERBEROS - Derriving session keys from master secret
We need to specify how to use a secret bound in a kerb ticket for encryption and authentication. This has two parts, first nit picky issues like byte ordering, second sub-key derrivation. The secret contained in a kerb ticket is a master secret, it should never be used to encrypt or authenticate data directly, it should only be used in a secure fashion to create the session keys used for actual processing. In the case of encryption SOME algorithms have an IV, others do not. If some looser were to encrypt two pieces of data with the same key under RC4 there is a simple cryptanalytic attack for recovering the message data: [C1 = M1 XOR S, C2 = M2 XOR S => C1 XOR C2 = M1 XOR M2 XOR S XOR S = M1 XOR M2 where S = E(k), the stream cipher cipher stream] In the case of MAC algorithms the message encryption layers do not specify any key freshening scheme. As I see it the question is to what extent we want to protect loosers from loosing by making the scheme foolproof. A simple key derrivation scheme would be the sender specifies a random XOR mask to be used to freshen the master secret. This is secure but only if the XOR mask is strong. A stronger scheme is to use some form of cryptographic primitive such as a hash so we guarantee the derrived key is secure.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]