key derivation function - the sckdf scheme
TRANSCRIPT
Key Derivation Function: The SCKDF Scheme
Chuah Chai Wen, Edward Dawson, and Leonie Simpson
Queensland University of Technology,chaiwen.chuah, e.dawson, [email protected]
Abstract
A key derivation function is used to generate one or more cryptographic keysfrom a private string. These cryptographic keys are critical in protecting the in-tegrity or confidentiality of data stored in insecure environments or transmittedover insecure channels. There is a need to ensure these cryptographic keys arepseudorandom. This paper proposes a new method for key derivation functionbased on stream ciphers. We shows that our proposed key derivation functionbased on stream ciphers is a secure key derivation function with better perfor-mance metrics compare to the existing key derivation function proposals.
1 Introduction
A key derivation function (KDF ) is a basic component of a cryptographic sys-tem. It is used to generate one or more cryptographic keys from a private string;such as passwords, Diffie-Hellman (DH) shared secrets or non-uniformly randomsource material [10,11,14,22]. The derived cryptographic keys are used for main-taining information security and protecting electronic data when it is stored andtransmitted. To prevent an adversary gaining any useful information about theprivate string, it is essential that the cryptographic keys generated by the KDFare pseudorandom. That is, given a string the adversary may not be able todistinguish whether the string is the cryptographic key generated by the KDFor a random string chosen from the cryptographic key space.
Most previous KDF designs are single phase [1,5,12,21]. The input to thesingle phase KDF is the concatenation of the private string and some publicstring. The public string consist of a random string or a concatenation string ofcounter, identifier or the identities of communicating parties. A more recent KDFdesign trend which offers increased flexibility is the two phases KDF [7,13]. Thistypically consists of an extractor and an expander. Whereas the inputs to theextractor are the private string and a public random string, while the inputs tothe expander are the output from the extractor and the context information. Inthis design, extractor and expander are two independent sub-functions, whichcan be designed and analysed separately. This permits mixing and matchingdifferent types of extractor and expander functions to form a good extract-then-expand KDF proposals, in terms of both security and/or performance.
Many existing KDF proposals are composed by using hash functions andblock ciphers. Both hash functions and block ciphers divide the input into a
series of equal-sized blocks with some padding necessary if the last block inputis not of the appropriate length. The input blocks are processed in sequencewith a one-way compression function, and the output is a fixed block size. Forexample, Secure Hash Function-1 (SHA1) is a hash function which operateson 512 bit input blocks and generates a 160 bit output. Another example is theblock cipher Advanced Encryption Algorithm-128 (AES), where the input blocksand output block are 128 bits long. A KDF generates cryptographic keys ofarbitrary length. Where the required length is not a multiple of the output blocksize, modification is necessary. Generally, the approach is to produce multipleoutput blocks until the required length has been obtained and to discard anybits in excess of the required length. For example, the KDF in [10] requires togenerate 512 bit cryptographic key. If a SHA1 based KDF is used to generatethe cryptographic key, it has to produce 4 160 bit blocks of output for 640 bitsin total. The first 512 bits are used as the cryptographic key and the remaining128 bits are discarded. This may be regarded as wasteful.
There is increasing interest in providing efficient KDF s. KDF s are widelyused in Internet protocols [10,11,14,22]. Mobile devices like smartphones are in-creasingly used to access the Internet. Smartphones are designed with low pro-cessing power and memory constrained, so efficiency is important. Hash functionsand block ciphers are often slower and require more resources than stream ci-phers in a running system. Thus, a KDF based on stream ciphers may be moresuited to this and similar applications.
This paper proposes a new KDF based on stream ciphers (SCKDF ). TheSCKDF can generate arbitrary length of cryptographic key without discardedany leftover bit, saving resource. Furthermore, stream ciphers are often used fortheir speed and simplicity of implementation in hardware as in mobile devices.No doubt, SCKDF will perform better than hash function based KDF and blockcipher based KDF . Therefore the outcomes of this research will contribute tothe development of secure and more efficient KDF based on stream ciphers.
2 Backgroud for KDFs
Generally, a key derivation function is defined as: K ← KDF (p, s, c, n), where
– p is a private string chosen from the space of all possible private stringPSPACE and the length of p we denote it as pl.
– s is a salt, a public random string chosen from the salt space SSPACE . Wedenote the length of s as sl;
– c is a public context string chosen from a context space CSPACE . The lengthof c is cl. n is a positive integer that indicates the number bit of the to beproduced by the KDF ;
– K is the derived cryptographic key of length n bit.
Note that all inputs are publicly known, except for the private string p. Thesalt is uniformly random and is used to create a large set of possible keys cor-responding to a given p [21]. Context information is arbitrary but application
specific data; for example, a session identifier or the identities of communicat-ing parties [2,3,4]. The basic operation of a KDF is to transform p and publicinputs (s and/or c) into an n bit pseudorandom string which can be used as acryptographic key. The cryptographic key is classified as pseudorandom, if nopolynomial time algorithm can distinguish between the cryptographic key anda random string chosen uniformly from the cryptographic key space of the samelength. The length, n, of the cryptographic key is an application specific securityparameter.
2.1 Outline of Single Phase KDFs
A single phase of KDF s is using a pseudorandom function that take the privateinput and public inputs and transform these inputs into one or more variablelengths of pseudorandom cryptographic keys. The cryptographic keys must beindistinguishable from the random strings of the same length in time polynomial.
Definition 1 A KDF is a function of F : {0, 1}pl×{0, 1}sl×{0, 1}cl → {0, 1}∗from a set p ∈R PSPACE mapping to an arbitrary length of string {0, 1}∗. Thestring must be indistinguishable from the random strings of the same length intime polynomial.
2.2 Outline of Two Phase KDFs
Two phase KDF is the composition of two subfunctions: extractor (Ext) andexpansion (Exp). Note that the output of the extractor is an input to the ex-pander. The typical construction of two-phase KDF is: KDF (p, s, c, n) = Exp({Ext (p , s)}, c, n). We discuss each phase below.
Extractor Extractor is a function that applied to non-randomeness p whichdoes contain a good amount of randomness (entropy), then ‘extract’ that amountalmost uniform entropy and generates a pseudorandom output that distributionis close to the uniform, we denote it as PRK . The extractor that is used in thisresearch is a computational extractor. Before we present the formal definition ofthe computational extractor, we recall the notion of min-entropy which capturethe worse case scenario of amount entropy having for a random variable. Here,the random variable we point to is the private string (p).
Definition 2 A probability distribution P has min-entropy (at least) pl if forall p′ in the support of P and for random variable p drawn according to P ,Prob(p = p′) ≤ 2−pl [13].
Definition 3 Let PSPACE and SSPACE be a probability distribution over {0, 1}pland {0, 1}sl respectively. A function Ext : {0, 1}pl × {0, 1}sl → {0, 1}kl is calleda (t, ε)-computational extractor with respect to SSPACE if the distribution ofpairs (p, PRK ), where p is chosen with uniform probability over {0, 1}pl andPRK = Extp(s) for s chosen according to distribution SSPACE, is (t, ε) com-putational indistinguishability to the pair (p, PRK ′) where PRK ′ is chosen with
uniform probability from {0, 1}kl. If Ext is a (t, ε)-computational extractorw.r.t all distribution over {0, 1}sl with min-entropy m we named it as (m, t,ε)-computational extract or (adapted from [13]).
Expander. Expansion is a standard scheme that takes the arbitrary length ofthe output from the extractor phase, namely pseudorandom string as a seed tothe expansion function to generate one or more arbitrary length of pseudorandomcryptographic key(s).
Definition 4 A function Exp : {0, 1}kl × {0, 1}cl → {0, 1}∗ from a set PRK ∈PRKSPACE mapping to an arbitrary length of string {0, 1}∗. The string shouldbe indisinguishable from the random strings of the same length in time polyno-mial.
2.3 The Security of KDF
The major security goal for a KDF is that the cryptographic keys generated bythe KDF are indistinguishable from truly random binary strings of the samelength. That is, this KDF security goal is formalized as an adversary inabilityto gain any information about cryptographic keys derived from a private string,even though the public inputs are provided to the adversary.
Here, we presented the security definition from Krawczyk [13]. We refer tothis security model as CCS-secure. Krawczyk modeled CCS-secure through thedistinguisher game played between a challenger C and an adversary A in poly-nomial time t, where the KDF is considered secure if no A can win the distin-guisher game with probability significant greater than the probability of winningby guessing randomly. The CCS model is below.
Definition 5 {CCS-secure} The KDF is (t, q, ε) CCS-secure if for all ad-versaries A running in polynomial time t and making at most q < |CSPACE |queries to the KDF with known fixed salt and chosen context information canwin the following indistinguishability game with probability not larger than ( 1
2 +ε).
2.4 Existing KDF Proposals
To date, single phase and two-phase proposals of KDF s have been based oncryptographic hash functions and block ciphers. Hash functions are widely usedin data authentication and block ciphers in data confidentiality. However, bothcryptographic primitives can be adapted for use as a KDF . Example of twophase KDF s based on hash functions and block ciphers are given below. Notedthat, this two phase KDF s are proven CCS-secure.
Hash Functions. In [13], Krawczyk formalized a KDF using HMAC-SHA fam-ilies (HKDF). He has proof that HKDF is CCS-secure. The proposed KDF con-sists of a computational extractor and a pseudorandom expander. The extractorfunction is Extp(s) : F ((s ⊕ opad)‖F ((s ⊕ ipad)||p)), where F denotes a hash
Learning 1. C chooses p← PSPACE .
stage 2. C chooses sR← SSPACE .
3. A is provided with the value s.4. For i = 1, . . . , q′ ≤ q, (4.1) A chooses ci ← CSPACE .
(4.2) C computes Ki = F (p, s, ci, n).(4.3)A is provided the derived cryptographic key, Ki.
Challenge 1. A chooses c← CSPACEstage (subject to restriction ctx /∈ ci, . . . , c′q).
2. C chooses bR←{0, 1}. (2.1) If b = 0, C outputs K′ = F (p, s, c, n),
(2.2) else C outputs K′ R← {0, 1}n.5. C sends K′ to A.
Adaptive 1. Step 4 in Learning stage is repeated for up to q − q′ queries (subject to restriction ci 6= c).
stage 2. A outputs b′ = 0, if A believes that K′ is cryptographic key, else outputs b′ = 1.
A wins the game if b′ = b.
function. The output for this phase (PRK ) is based on the length of hash digest.The s is proposed has the same length as the hash digest of F , we denoted it asfl. If sl < fl or sl > fl, s is hashed to have sl = fl.
The expander phase of the HKDF functions is ExpPRK (c, n) : K(1) ⇐F (PRK ⊕ opad)‖F ((PRK ⊕ ipad)||c||0) and F is the hash function. If kl < flor kl > fl, s is hashed to have kl = fl. This scenario can be happenedwhen two different types of hash function are used to construct the extrac-tor and the expander. For example, SHA1 is used to construct the extractorand SHA512 is used to build the expander. The output length for the expanderphase is fl. If n > fl, second or more iterations are necessary until the requiredlength has been obtained, for example fl ≥ n. The extractor function is asbelow: K(i + 1) ⇐ F ((PRK ⊕ opad)‖F ((PRK ⊕ ipad)||K(i)||c||i)), 1 ≤ i < t,where t = d nfle. The cryptographic key is the concatenation string such that
K(1)||K(2)|| . . . ||K(t − 1). The first n bits are used as the cryotographic keyand the remaining bits are discarded.
Block Ciphers. Another two phase KDF is the AES-CMAC based KDF de-scribed in NIST SP800-108 [6]. CMAC is a keyed hash function that is based ona symmetric key block cipher, such as AES [16]. The AES block cipher supportskey sizes of 128, 192 and 256 bit and has an output size of 128 bits. The AES-CMAC based extractor can be either AES-128, 192 or 256, but the expansion isfixed to use AES-128.
The extractor function for AES-CMAC is PRK i = Fs(PRK i−1 ⊕ pi), whereF is AES (128 or 192 or 256), 1 ≤ i ≤ t, t = d pl
128e and PRK 0 = 0128. Duringthe extractor phase, the input p is broken up into 128 bits per block, togetherwith key (s) and processed sequentially by using AES. Output from the blockprocessed will be used to XOR with the next input block together with the keyand processed by using AES. The process is continuing until the last block ofinput. There is slightly different operation for processing the last block of thep. The input to the last operation includes the last input block, output fromprevious block processed, s and it also requires subkey. The subkey is generatedby s by using AES-128. If the last block is a padding block, then the subkeyis K2 else the subkey is K1, such that pt = pt ⊕Kb, b ∈ {1, 2}. The algorithm
subkey generation as show in [6] (Figure 2.2). The output from this extractionphase is 128 bit and we denoted it as PRK .
As mentioned above, only AES-128 can be used to build the expander. ThePRK and c are the inputs to the expander phase. PRK is used as the key toAES as well as subkey generation, K1 and K2. The extractor function is asbelow: K(i)⇐ FPRK (Ki−1 ⊕ ci) where F is AES-128, 1 ≤ i ≤ t, t = d cl
128e andK(0) = 0128. The process of the expander is similar with the extractor phasewhere c is broken into 128 bits equally size of block. Each block is processedsequentially by using AES and PRK as the key. Again, if the last block of c ispadding block, it will XOR with subkey K2 else the last block is XORed withsubkey K1, such that ct = ct ⊕Kb, b ∈ {1, 2}. Once i = t, the function output128 bit of string. If the output n is greater than 128 bit for example 200 bit,another iteration with the same PRK is used to produce the next 128 bit. Asa result, the expander produces 256 bit but only the first 200 bit will be usedand the remaining 56 bit are discraded. Noted that c is a string that has integercounter, each iteration of the counter will increase by 1, therefore, each outputblock is different.
3 Keystream Generator for Stream Ciphers
A typical stream cipher consists of a pseudorandom keystream generator whichproduces a pseudorandom keystream which appears to be unpredictable from theinitial key. The keystream is combined with plaintext using bitwise exclusive-OR(XOR) to produce ciphertext to accomplish encryption process. To recover theplaintext, the identical keystream is used to decrypt the ciphertext.
Fig. 1. Keystream Generator [20]
Figure 1 illustrates the generic keystream generators (KG) as in Definition6. The inputs to the KG are usually the key and the initial value (IV). Theoutput is a stream of pseudorandom keystream, it can be in bit, bytes or words:Z1, Z2, . . . , Zt. Initialisation process and keystream generation are two majorprocesses in KG. The purpose of the initialization process is diffusion the key-IVpair for the cipher and making hard for the attacker to compute the relationbetween this key-IV pair with it associate keystream. The initialization processperformed in two phases, namely loading and diffusion. Loading phase is transferkey and IV into cipher’s state, or best known as “loaded state”. Following thisis the diffusion phase that consists of a number of initialisation state updatefunction towards the cipher’s state. Each initialisation state update function isconsidered a mapping function that maps the state space to itself. A well designstream cipher, the mapping function should be one-to-one and has nonlinearityproperty. Upon completion the diffusion phase, KG now is in “internal state”(is) and ready for keystream generation process. There are three major partsat keystream generation process: internal state, next state function and outputfunction. Internal state is readied by the initialisation phase. The output functiontakes the internal state and produces the keystream. The next state functiontakes the internal state and generates a new internal state. Noted that, thekeystream generation state update function can be different or similar to theinitialisation state update function.
The security of stream ciphers reside with the keystream generators (KG).For example, if the keystream generators generate endless zeros keystream,the ciphertext is the plaintext. Also, if the keystream sequence is repeated,this weakness allows the adversary recover the plaintext by using the repeatedkeystream to decrypt the ciphertext. Clearly, KG must be produce pseudoran-dom keystream. Hence, KG is required to have properties as Definition 6 andDefinition 7.
Definition 6 Let KEYSPACE, IVSPACE, ISSPACE, ZSPACE be a set spaceover {0, 1}k, {0, 1}i, {0, 1}is and {0, 1}∗ respectively. A keystream generator isa pseudorandom generator (Definition 7): {0, 1}k×{0, 1}i → {0, 1}is → {0, 1}∗.ey and IV are diffuse to form the internal state with the length of is, from whichis mapping to an arbitrary length of pseudorandom keystream Z.
Definition 7 A pseudorandom generator is said to pass all polynomial-time sta-tistical tests if no polynomial-time algorithm can correctly distinguish between anoutput sequence of the generator and a truly random sequence of the same lengthwith probability significantly greater than 1
2 [15].
4 Stream Cipher Based KDF
4.1 Basic Definitions
The following table describes the basic definitions necessary to explain the spec-ification of the SCKDF .
• Vp → In SCKDF , Vp is the memory in the computer that stores V lp bit
of p. Vp is used in extractor phase. One property requirement for streamciphers is key, Vp has same property as the key for the stream ciphers.
• V lp → V l
p is the length of Vp . In stream cipher, V lp is the length or the
size of the key.
• Vs → Vs is the memory in the computer that stores V ls bit of s. Vs
is used in extractor phase. Another one property requirement for thestream ciphers is initial vector (IV), Vs has same property as the IV forthe stream cipher.
• V ls → V l
s is the length of Vs .
• Vk → Vk is the memory in the computer that stores V lk bit of PRK . Vk is
used in expander phase. Vk has same property as the key for the streamcipher.
• V lk → V l
k is the length of Vk.
• Vc → Vc is the memory in the computer that stores V lc bit of c. Vc is
used in expander phase. Vc has same property as the IV for the streamcipher.
• V lc → V l
c is the length of Vc. Vlc is the length or the size of the IV.
• d→ V lp + V l
s , the total length of key and IV of the stream ciphers.
4.2 Extractor
We present the notion of statistical extractor and computational extractor inSection 2.2. Our generic stream cipher based extractor is designed according tothe computational extractor which can be applied to any type of inputs and theoutput is indistinguishable from a random string. For more precisely, we saidthat there exist an attacker who are computational bounded that can break thisextractor in time t with probability not greater than ε.
Our proposed generic stream cipher based extractor consists of the KG fromDefinition 6. Figure 2 depicts our extractor proposal. The KG takes the inputs V l
p
bit of p and V ls bit of s and transfers p and s into cipher’s state, if pl is greater
than V lp , then the KG will generate a V l
p keystream and the same process is
iterated for entire length of p, else the KG will generate a V lk keystream and the
extraction phase is ended. The model is defined as follows.
Fig. 2. Extractor based on stream ciphers
Input: p, s, V lp , V l
s , V lk , cl and n.
– Vp is loaded with V lp bit p.
– sl is proposed at most V ls bit.
– s can be null. Then Vs is loaded with V ls bit of p.
Process:
1. When s is null(a) Vp and Vs are loaded with pi, i = 0, 1 . . . , d− 1.
i. If i == pl, then Proceed to Step 3.ii. Else, use Vp and Vs as the inputs to KG and generate a sequence of
keystream, such as Z0, Z1, . . . Zt, where t = d.A. for(i = d; i < pl; increment i+ d)
– for(j = 0; j < V lp ; increment j)
• Vp = Zt⊕p[i+j], where t = 0, . . . , V lp . (Vp is loaded with new
value.)– for(j = V l
p ; j < d; increment j)
• Vs = Zt ⊕ p[i+j], where t = V lp , . . . , d− 1. (Vs is loaded with
new value.)B. If i == pl, then Proceed to Step 3.
C. Else, use Vp and Vs as the inputs to KG and generate a sequenceof keystream, such as Z0, Z1, . . . Zt, where t = d.
2. When sl ≤ V ls
(a) Vp is loaded with pi, i = 0, 1 . . . , V lp − 1.
(b) If sl < V ls , concatenate s with 0 until sl = V l
s .Vs is loaded with si, i = 0, 1 . . . , sl − 1.
i. If i == pl, then Proceed to Step 3.ii. Else, use Vp and Vs as the inputs to KG and generate a sequence of
keystream, such as Z0, Z1, . . . Zt, where t = d.
A. for(i = V lp ; i < pl; increment i+ d)
– for(j = 0; j < V lp ; increment j)
• Vp = Zt ⊕ p[i+j], where t = 0 . . . V lp . (Vp is loaded with new
value.)
– for(j = V lp ; j < d; increment j)
• Vs = Zt⊕p[i+j], where t = V lp , . . . , d. (Vs is loaded with new
value.)
B. If i == pl, then Proceed to Step 3.C. Else, use Vp and Vs as the inputs to KG and generate a sequence
of keystream, such as Z0, Z1, . . . Zt, where t = d.
3. Use Vp and Vs as the inputs to KG and generate a sequence of keystream,such as Z0, Z1, . . . Zt.
(a) If c is null, t = n. Step 3 is consider as expander phase.
(b) Else t = V lk .
Output:
– If c is null, Cryptographic key = Zt.
– Else, PRK = Zt, where PRK is the input to the expander phase.
4.3 Expander
We formalized our stream cipher based expander from Definition 4 which is rel-atively straightforward function. It takes fixed length input from the expanderphase together with arbitrary length of c and generates arbitrary length pseudo-random output. Note that, the stream cipher’s keystream generators are basedon Definition 6. Figure 3 illustrates the expander model and follows by an algo-rithm.
Fig. 3. Expander based on stream ciphers
Input: PRK , c, cl, V lk , V l
c and n.
– PRK is the output from the randomness extractor and the length of PRK= V l
k .– c is a string of arbitrary length, if cl mod V l
c is greater than 0, padding cwith 100 . . . 0 until cl mod V l
c = 0.– If c is null. Then Vc is loaded with V l
c bit of 0.– n is the length of cryptographic key.
Process:
1. Vk is loaded PRK .2. Vc is loaded V l
c bit of c.– If cl <= V l
c , then• Proceed to Step 3.
3. Use Vk and Vc as the inputs to KG and generate a sequence of keystream,such as Z0, Z1, . . . Zt, where t = V l
k .– for(i = V l
c ; i < cl − V lc ; increment i+ V l
c )∗ Vk is loaded Zt.∗ Vc is loaded V l
c bit of ci.• if(i = cl − V l
c )∗ Proceed to Step 3.
• else∗ Use Vk and Vc as the inputs to KG and generate a sequence of
keystream, such as Z0, Z1, . . . Zt, where t = V lk .
4. Use Vk and Vc as the inputs to KG and generate a sequence of keystream,such as Z0, Z1, . . . Zt, where t = n.
Output: Cryptographic key = Zt.
5 The Security of SCKDF
Theorem 1 Let Ext be a (tX , εX)-computational extractor w.r.t to the privatestring p and Exp a (tP , qP , εP )-secure variable-length-output pseudorandomfunction family, then the above extract-then-expand KDF scheme is (min{tX ,tP }, qP , εX + εP )-secure w.r.t the private string p [13].
Theorem 1 argued the security of the generic two phases KDF which consistsof the extractor and the expander. Generic SCKDF is two phases KDF , henceTheorem 1 allows us to argue the security of SCKDF is a secure extract-then-expand KDF . Detail proof of Theorem 1 can be seen at the paper [13]. In thissection we will review the properties of KG based on Definition 6 and Definition7. Next, use them to prove the security of SCKDF .
Lemma 1 Let KG is the keystream generator build on a family of pseudorandomkeystream generator. If SCKDF is build from the KG, then SCKDF is a secureKDF w.r.t the private string p.
Proof. A family of pseudorandom keystream generator is based on Definition 6and Definition 7. We build a SCKDF with the KG which is from the family ofpseudorandom keystream generator. Notes that SCKDF consists of the extractor(Ext) and the expander (Exp), it menas Ext and Exp are both built with theKG which are holding Definition 6 and Definition 7.
Theorem 1 follows the security Definition 5. From the Theorem 1, the ad-versary is allowed to query pi ∈ PSPACE and ci ∈ CSPACE , i = 1, 2 . . . , qP .The pi queries indicate the adversary brute force the p. In Definition 5 p, sand n are fixed: p is secret; s and n are known by the adversary. Let Ki =SCKDF (p, s, ci, n) and PRK i = Ext(pi, s). The SCKDF is based on pseudo-random KG that holding Definition 6 and Definition 7, single bit changes of thepi and the ci, Ext and SCKDF will generate different PRK i and cryptographickey Ki respectively. Hence, the adversary has trivial probability εX + εP to findthe real p and distinguish the cryptographic key generated from the real p. Thus,the SCKDF is a secure KDF w.r.t the private string p.
6 Performance Measurement
The performance experiment for stream cipher, hash function and block cipherbased KDF measures the execution time taken to generate n bit of cryptographickey from p, s and c. The code of the stream ciphers, hash functions and block ci-phers are retreived from [17], [9] and [19] respectively. The stream ciphers includeTrivium, Sosemanuk and Rabbit. The hash functions are HMAC-SHA familiesand block ciphers are AES128 CMAC. The length of these four parameters aretaken from the applications as below:
Application 1: Host identity protocol version 2(HIPv2) is based on DHshare secret key exchange protocol which provides securely communications and
maintain shared IP-layer state between two separate parties [11]. HIPv2 pro-vides protection against atttacks on the confidentiality and integrity of duringthe communication bewtween these two parties. These protections require thecryptographic keys. The cryptographic keys are generated using KDF and theinputs to the experiments are as below:
Exp 1 : p = 128 bytes, s = 8 bytes, c= 32 bytes, n = 64 bytesExp 2 : p = 128 bytes, s = 8 bytes, c= 32 bytes, n = 192 bytesExp 3 : p = 256 bytes, s = 8 bytes, c= 32 bytes, n = 64 bytesExp 4 : p = 256 bytes, s = 8 bytes, c= 32 bytes, n = 192 bytes
Application 2: PKINIT algorithm agility is applied in Kerberos protocol[22]. PKINIT use KDF to generate the cryptographic keys in protecting confi-dentiality and intergrity during communication between two parties. The inputsto the KDF are as below:
Exp 5 : p = 128 bytes, s = null, c= 64 bytes, n = 64 bytesExp 6 : p = 128 bytes, s = null, c= 64 bytes, n = 192 bytesExp 7 : p = 256 bytes, s = null, c= 64 bytes, n = 64 bytesExp 8 : p = 256 bytes, s = null, c= 64 bytes, n = 192 bytes
Application 3: The tunneled extensible authentication method (TEAM)is a method that securing communication between peer and server by usingtransport layer security (TLS) to establish a mutually authenticated tunnel.TEAM provides protection against attacks in confidentiality and integrity of theinner extensible authntication protocol (EAP) method exchange and provideEAP peer identity privacy [10]. Again, these protections require cryptographickeys. These cryptographic keys are derived by using KDF from a private string.The inputs to the experiments are as below:
Exp 9 : p = 40 bytes, s = 32 bytes, c= null, n = 64 bytes
All experiments are executed four times; the average execution time is recorded.The execution time is captured by using CLOCK MONOTONIC which can befound at the programming language C library. All the simulations are done in amachine that has the specifications as follow: Intel (R) core (TM) 2 duo CPUE8400 @ 3.00GHz 2.99 GHz, 4GB RAM and in 64 bit OS.
6.1 Extractor Performance
Table 6.1 compares the performance of the extractor based on stream ciphers,extractor based on hash functions and extractor based on block ciphers. Thefigure shows that the extractor based on Trivium has the highest performance.
Extractors/Exp Exp 1, 2 Exp 3, 4 Exp 5,6 Exp 7, 8 Exp 9
Trivium 9367 17451 9239 17151 5731
Sosemanuk 21685 31780 21899 33576 17365
Rabbit 17365 26818 17408 26775 7784
SHA1 10864 14200 10950 13858 7784
SHA224 12019 16039 11890 15355 8811
SHA256 11933 15526 11890 16082 8640
SHA384 30197 36571 30326 36014 25663
SHA512 31566 36571 30839 36485 25492
AES128 120834 211470 123828 210700 65271
*Performance time is in nanosecondTable 1. Performance of Extractor.
6.2 Expander Performance
We have the expander performance result in Table 6.2. The most efficient ex-pander is Trivium based expander. Overall, the results show all of the streamcipher based expander are performs relatively better than hash function basedexpander and block cipher based expander.
Expanders/Exp Exp 1,3 Exp 2,4 Exp 5,7 Exp 6, 8 Exp 9
Trivium 4448 5047 8084 8768 2566
Sosemanuk 5303 5988 10522 11591 3165
Rabbit 8640 10351 16339 18392 3849
SHA1 29941 71559 35373 87941 48590
SHA224 27588 66212 29941 69934 40121
SHA256 18178 57530 20103 60737 32849
SHA384 49018 97907 54022 113006 72628
SHA512 25150 75836 25278 55348 49617
AES128 205140 567600 289018 818764 205226
*Performance time is in nanosecondTable 2. Performance of Expander.
6.3 KDF Performance
Table 3 shows the execution time of extract-then-expand KDF based on streamciphers, hash functions and block ciphers across 9 different type of experiements.The result Trivum, Rabbit and Sosemanuk are three stream cipher candidateswhich are executed faster compares with hash function based KDF and blockcipher based KDF .
KDFs/Exp Exp 1 Exp 2 Exp 3 Exp 4 Exp 5 Exp 6 Exp 7 Exp 8 Exp 9
Trivium 13815 14414 21899 22498 17323 18007 25235 25919 8297
Sosemanuk 26988 27673 37083 37768 32421 33490 44098 45167 20530
Rabbit 26005 27716 35458 37169 33747 35800 43114 45167 11633
SHA1 40805 82423 44141 85759 46323 98891 49231 101799 56374
SHA224 39607 78231 43627 82251 41831 81824 45296 85289 48932
SHA256 30111 69463 33704 73056 31993 72627 36185 76819 41489
SHA384 79215 128104 85589 134478 84348 143332 90036 149020 98291
SHA512 56716 107402 61721 112407 56117 86187 61763 91833 75109
AES128 325974 688434 416610 779070 412846 942592 499718 1029464 270497
*Performance time is in nanosecond
Table 3. Performance of KDF.
7 Conclusion
We proposed the new KDF based on stream ciphers (SCKDF ). We had demon-strated that theoretically this newly proposed SCKDF is secure. However, prac-tically the SCKDF is not secure if the stream ciphers are broken. On the otherhand, the SCKDF performance is depending on the typical stream ciphers. Ifthe stream ciphers operate fast, SCKDF also has good performance or vise
versa. Therefore, we have to carefully choose the type of the stream ciphers inconstructing the secure and efficient SCKDF .
References
1. C. Adams, G. Kramer, S. Mister, and R. Zuccherato. On the security of keyderivation functions. Information Security, 3225:134–145, 2004.
2. X. ANSI. 9.63. Elliptic Curve Key Agreement and Key Transport Protocols, Work-ing Draft, 1998.
3. X. ANSI. 9.42,”. American National Standard for Financial Services-Public KeyCryptography for the Financial Services Industry: Agreement of Symmetric KeysUsing Discrete Logarithm Cryptography, 2001.
4. E.B. Barker, D. Johnson, and M.E. Smid. Sp 800-56a. recommendation for pair-wise key establishment schemes using discrete logarithm cryptography (revised).2007.
5. L. Chen. Recommendations for Key Derivation Using Pseudorandom Functions.NIST Special Publication, 800:108, 2008.
6. L. Chen. Recommendation for key derivation using pseudorandom functions. NISTSpecial Publication, 800:108, 2009.
7. L. Chen. Sp 800-56c. recommendation for key derivation through extraction-then-expansion. 2011.
8. D. Dachman-Soled, R. Gennaro, H. Krawczyk, and T. Malkin. Computationalextractors and pseudorandomness. Theory of Cryptography, pages 383–403, 2012.
9. D. Eastlake and T. Hansen. Us secure hash algorithms (sha and sha-based hmacand hkdf). 2011.
10. D. Harkins. Network working group g. zorn internet-draft network zen intendedstatus: Standards track q. wu expires: September 9, 2011 huawei. 2011.
11. T. Heer, P. Jokela, T. Henderson, and R. Moskowitz. Host identity protocol version2 (hipv2). 2012.
12. B. Kaliski. PKCS# 5: Password-based cryptography specification version 2.0.Technical report, RFC 2898, September 2000, 2000.
13. H. Krawczyk. Cryptographic Extraction and Key Derivation: The HKDF Scheme.Advances in Cryptology–CRYPTO 2010, pages 631–648, 2010.
14. D. McGrew and B. Weis. Key Derivation Functions and Their Uses, 2010. Onlineavailable at url http://www.ietf.org/id/draft-irtf-cfrg-kdf-uses-00.txt.
15. A.J. Menezes, P.C. Van Oorschot, and S.A. Vanstone. Handbook of applied cryp-tography. CRC, 1997.
16. R. Poovendran and J. Lee. The aes-cmac algorithm. 2006.17. M. Robshaw. The eSTREAM Project. New Stream Cipher Designs, pages 1–6,
2008.18. B. Schneier. Applied cryptography: protocols, algorithms, and source code in C.
John Wiley & Sons, Inc, 2007.19. J.H. Song, R. Poovendran, J. Lee, and T. Iwata. Internet draft ibaraki university
expires: May 6, 2006 november 7 2005 the aes-cmac algorithm draft-songlee-aes-cmac-02. txt. 2005.
20. W. Stallings. Cryptography and Network Security: Principles and Practices, FourthEdition. Pearson Education India, 2006.
21. F.F. Yao and Y.L. Yin. Design and analysis of password-based key derivationfunctions. Topics in Cryptology–CT-RSA 2005, pages 245–261, 2005.
22. L. Zhu, M. Wasserman, and L.H. Astrand. Pkinit algorithm agility. 2012.