Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

[STDS-802-11-TGBT] On the topic of secret salt

 

  The first claim was that salt needs to either be random or all zeros. There is nothing in the RFC that says this.  In fact, it says the exact opposite, that a secret salt will significantly improve the security of the derivation.

 

  The next claim was a PQC would be able to crack the DHss and therefore launch an attack that could not be articulated.

 

  So let’s look at TLS 1.3, a protocol with a key schedule that no one is claiming is susceptible to attack. Here’s an abbreviated version of the TLS key schedule (I’m leaving out some intermediate derivations):

 

       HKDF-Extract(0, PSK)

                     |

                    V

       HKDF-Expand(., “label” | “context”, Length). ----> intermediate key for client handshake secret

                    |

                   V

        HKDF-Extract(., ECDH)

                    |

                   V

        HKDF-Expand(., “diff label” | “diff context”, Length) ----> traffic encryption key

 

   Et cetera.

 

  Now what did I propose in 11-26/0938r0?

 

     HKDF-Extract(0, MLKEMss)

                   |

                  V

      (missing intermediate expansion)

                  |

                 V

      HKDF-Extract(., PMK)

                 |

                V

       HKDF-Expand(., “label” | “context”, Length).  ----> traffic encryption key

 

Since 802.11 does not require the intermediate keys that TLS does there is no intermediate expansion. But other than that, this is basically the same thing. Starts out with a zero salt because there is no possibility of a salt at that point but then a secret salt for subsequent derivation and eventual generation of a traffic encryption key.

 

  So if what I proposed is insecure then what TLS 1.3 is doing is also insecure. But since the attack was not articulated I don’t believe it actually exists.

 

  My proposal is analogous to what TLS 1.3 is doing and no one is claiming that TLS 1.3 is insecure because of HKDF and salt. The argument was bogus. There is nothing wrong and lots of stuff right about using a secret salt in key derivation.

 

  Regards,

 

  Dan.

 

--

“the object of life is not to be on the side of the majority, but to

escape finding oneself in the ranks of the insane.” – Marcus Aurelius

 

 

To unsubscribe from the STDS-802-11-TGBT list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBT&A=1