1

I'm using a technique borrowed out of a book by Bruce Schneier and Niels Ferguson called Practical Cryptography. Basically, it boils down to this:

Bob does this:

pubk_A = Alice's public key

entropy = bytes from cryptographic quality PRNG

encrypted_entropy = RSA_Encryptpubk_A(entropy)

hashed_entropy = SHA2-512(entropy)

encrypt_keyBA = hashed_entropy[0:32]
encrypt_nonceBA = hashed_entropy[32:48]
hmac_keyBA = hashed_entropy[48:64]

Bob then sends encrypted_entropy to Alice.

Then Alice does this:

privk_A = Alice's private key

entropy = RSA_Decryptprivk_A(encrypted_entropy)

hashed_entropy = SHA2-512(entropy)

encrypt_keyBA = hashed_entropy[0:32]
encrypt_nonceBA = hashed_entropy[32:48]
hmac_keyBA = hashed_entropy[48:64]

This works great for generating keys that can be used to communicate from Bob to Alice. But I need keys I can use in both directions. I was thinking of modifying the algorithm in this way:

Bob does this with entropy:

pubk_B = Bob's public key

hashed_entropyBA = SHA2-512(SHA2-256(pubk_A) + entropy

encrypt_keyBA = hashed_entropy[0:32]
encrypt_nonceBA = hashed_entropy[32:48]
hmac_keyBA = hashed_entropy[48:64]

hashed_entropyAB = SHA2-512(SHA2-256(pubk_B) + entropy

encrypt_keyAB = hashed_entropy[0:32]
encrypt_nonceAB = hashed_entropy[32:48]
hmac_keyAB = hashed_entropy[48:64]

Alice can do the same thing on her side after she obtains entropy by decrypting encrypted_entropy.

As you can see, now there are two sets of keys, one used for communicating from Bob to Alice, and another for communicating from Alice to Bob.

Is there anything wrong with this? What security risks am I taking? Is the security of the system less or more than if I simply had one party tweak a bit in the nonce? Is there a better way to handle this problem without adding round-trips?

Omnifarious
  • 54,333
  • 19
  • 131
  • 194
  • I enjoyed reading Practical Cryptography. – rook Mar 28 '11 at 18:13
  • Cross-posted on http://security.stackexchange.com/questions/2772/are-there-any-serious-problems-with-this-technique-for-generating-symmetric-keys. This should probably be answered there. – Jeff Ferland Mar 28 '11 at 18:30
  • @Jeff Ferland: I really hate how stack has fragmented the way it has. Makes it much harder to figure out where a question should be asked and where it will be most likely to get an answer. I notice that it's hardly even been looked at on security.stackexchange.com – Omnifarious Mar 28 '11 at 18:44
  • @Omnifarious: I understand your concern about topic fragmentation. Unfortunately, in my opinion, the alternative is worse. The signal to noise ratio, or the questions you're interested in versus the questions you have no interest in, would decrease dramatically, to the point where people would leave, because it wouldn't be worth the bother anymore. Stack Overflow is starting to feel that way to me, even with the topic fragmentation. – Gilbert Le Blanc Mar 28 '11 at 18:51
  • @Gilbert Le Blance: I aggressively use tag filtering to here to handle the problem. There are a whole host of tags I've asked to never see questions about. The 'Interesting question' tab is also a good attempt. Unfortunately, it completely misses the absolutely most interesting thing to me about a question, which is that it has no answers at all (upvoted or not). – Omnifarious Mar 28 '11 at 18:54
  • @Omnifarious: Yes, I'm sure that helps. Unfortunately for me, the questions I don't want to see are the questions that are most likely to be tagged inaccurately. Namely, homework and "give me the codez" questions. :-) – Gilbert Le Blanc Mar 28 '11 at 18:59
  • @Gilbert Le Blanc I don't like the security stack exchange and i won't use it until they close the security tag on serverfault and SO. – rook Mar 28 '11 at 19:19
  • @Jeff - why does this question belong in IT Security? Does IT security deal with design issues or IT environment related issues? – user220201 Mar 28 '11 at 21:15
  • The security site covers both. – Jeff Ferland Mar 28 '11 at 21:30
  • @Rook - any reason why? Sure, it is in beta as it only started in November, but it is steadily growing and has a strong base of very experienced professionals already. You can help it grow faster by using it. – Rory Alsop Mar 29 '11 at 07:40
  • @user220201 - absolutely. have a look at the security faq - http://security.stackexchange.com/faq – Rory Alsop Mar 29 '11 at 07:41
  • @Rory Alsop because a fragmented community is a poorly designed one. This was the first and its where I'll stay. Also it just seems to be mostly comprised of re-posts of boring SO questions. – rook Mar 29 '11 at 14:38
  • @Rook - fragmentation may well be a bad thing, however SO is not the first place an experienced security professional will be, so it makes a lot of sense to move infosec questions that come within the professional/enterprise field across to security.se. Reposts will occur as more people learn, and we migrate questions over, but SO is not the place for security queries. – Rory Alsop Mar 29 '11 at 14:48
  • @Rory Alsop as the number one answerer of secuirty and crypto questions on SO, I disagree. There have been **A LOT** more secuirty questions posted to SO than anywhere else. It should also be noted that SO asks a lot of security questions without the security tag, because the OP doesn't understand. – rook Mar 29 '11 at 15:18
  • @Rory Alsop For the record there have been 8,699 secuirty questions posted to SO. There have been 669 questions posted to all of secuirty.se. I have personally answered 630 security questions on SO. – rook Mar 29 '11 at 15:26
  • @Rook - I see them. Not arguing with the numbers, security SE didn't exist 6 months ago, so there was no better place to have them. Now there is a suitable place, and I am glad you are active over there as well. – Rory Alsop Mar 29 '11 at 15:36

1 Answers1

1

There shouldn't be a problem with both Alice and Bob having a shared key for bi-directional communication. In fact this is a lot like SSL/TLS's shared master secret. The only consideration is that you cannot use the same iv+master key combo with any packet. Also this iv must be random.

One improvement that can be made to this Schneier/Ferguson protocol is using cmac mode, which would remove the need for the hmac_key. This would reduce bandwidth used in the handshake and cpu usage for each packet.

In terms of your variant of this protocol. You still have to rely upon transmitting encrypted_entropy = RSA_Encryptpubk_A(entropy). This is an important step because you need to have a shared secret. The use of a known value pubk_A in the key generation bothers me. Keep in mind that it should be assumed that any public key is known to the attacker. The use of sha256 doesn't make this value more random or more difficult to brute force. Thus the number of guesses the attacker has to make is equivalent for these three calculations: sha512(sha256(pubk_A)+entropy),sha512(pubk_A+entropy),sha512(entropy). Which means this is a waste of resources because you are not obtaining an advantage over your attacker.

Community
  • 1
  • 1
rook
  • 66,304
  • 38
  • 162
  • 239
  • The nonce in my protocol is actually the IV for CTR mode AES. The chances of having an overlapping master key/IV combo are astronomically small, but not 0. – Omnifarious Mar 28 '11 at 18:21
  • @Omnifarious You can't use the same IV for every packet, in fact the same iv+key must never repeat. – rook Mar 28 '11 at 18:30
  • Thanks for the pointer to cmac. I don't think I'll be using it because I'm fairly far down the road of using CTR mode. But I will be reading up on it to understand what's going on. And yes, I know. The IV is incremented for every 16-byte block I encrypt. The chances of overlap are, of course, much higher than the chances of outright collision, but they are still smaller than the chances of someone guessing the key. I do limit a session using the same master key + IV to 2^60 blocks. – Omnifarious Mar 28 '11 at 18:30
  • @Omnifarious Your right, there isn't a problem with the nonce+ctr mode. However, both parties **MUST** use a different key or nonce otherwise they will be producing the same PRNG stream. But the solution is simple. Currently you are transmitting an 64 byte shared secret and then cutting it apart for your needs. Transmit an extra 32 bytes of entropy for bob's key. – rook Mar 28 '11 at 18:36
  • Well, the reason for adding in pubk_A and pubk_B is not to increase entropy, but to provide different keys for the alice->bob and bob->alice directions. I know it won't increase the guesswork required. The amount of entropy in the entropy parameter is actually equal to the maximum number of bits that can be encrypted with Alice's public key in a single RSA operation. – Omnifarious Mar 28 '11 at 18:37
  • @Omnifarious The size of data that RSA can encrypt is dependent on the size the key you use. Ideally the size of the `entropy` used in the original protocol should be as large as possible, but at least 64 bytes. Stretching the entropy should be avoided as this weakens the system, nothing is free, you can't just make new entropy this way. Also, there is no sense in padding the RSA message and then using a digest function on the smaller message. – rook Mar 28 '11 at 18:52
  • @Rook - Yes, exactly. I pack as much entropy as I possibly can into encrypted_entropy. The minimum key size for long-lived keys in my system is about 2kbits, so that's 256 bytes of entropy. And the minimum size is 768 bits (for very short lived keys) and that means 96 bytes of entropy. – Omnifarious Mar 28 '11 at 18:59
  • @Omnifarious Awesome, thats more than enough entropy for both Alice and bob to have unique, and strongly derived keys. I think this is the best solution for your protocol. – rook Mar 28 '11 at 19:00
  • @Rook: Yes, you're right. There is no real need to use the public keys the way I am. I can just chop up the entropy. Thanks. – Omnifarious Mar 28 '11 at 19:03
  • @Omnifarious No problem. I like this question. – rook Mar 28 '11 at 19:04
  • @Rook - If you're curious, the full cryptosystem I'm working on is CAKE - http://www.cakem.net/ – Omnifarious Mar 28 '11 at 20:24
  • @Omnifarious interesting. Another issue is, i'm not sure how you are getting entropy but if /var/urandom is available you should use it. – rook Mar 28 '11 at 21:28
  • @Rook: Why not? And how about `/dev/urandom`? – Omnifarious Mar 28 '11 at 22:11
  • @Omnifarious I'll check out your protocol, I'm actually working on my own for fun. In terms of randomness `/dev/random` is really good, and an ideal source. However it will block you need more entropy than is available in the entropy pool, so `/dev/urandom` will use stretching to meet the demand. In a network protocol its not a good idea to wait, so `/dev/urandom` is best. Check out this post: http://stackoverflow.com/questions/3436376/what-is-the-most-secure-seed-for-random-number-generation – rook Mar 29 '11 at 01:12