Cryptography Reference
In-Depth Information
laundering' might at first seem a strange thing to do, but there are several
significant advantages of deriving keys from other keys:
Efficiency
. Key generation and establishment can be relatively expensive pro-
cesses. Generating and establishing one key (sometimes called a
base key
), and
then using it to derive many keys, can be an effective technique for saving
on these costs. For example, many applications require both confidentiality
and data origin authentication. If separate cryptographic mechanisms are to
be used to provide these two security services then they require an encryption
key and a MAC key (see Section 6.3.6 for a wider discussion of this, and
other options). As we will see in Section 10.6.1, it is good practice to make
sure that the keys used for each of these mechanisms are different. Rather
than generating and establishing two symmetric keys for this purpose, a cost-
efficient solution is to generate and establish one key
K
and then derive two
keys
K
1
and
K
2
from it. For example, a very simple key derivation process
might involve computing:
K
1
=
||
and
K
2
=
||
,
h
(
K
0)
h
(
K
1)
where
h
is a hash function.
Longevity
. In some applications, long-term symmetric keys are preloaded onto
devices before deployment. Using these long-term keys directly to encrypt
data exposes them to cryptanalysis (as indicated in Section 10.2.1). However,
randomly generating a new key requires a key establishment mechanism to
be used, which may not always be possible or practical. A good solution is to
derive keys for use from the long-term key. In this way, so long as the key
derivation process is understood by all parties requiring access to a key, no
further key establishment mechanism is required and the long-term key is not
exposed through direct use.
Key derivation must be based on a derivation function that is one-way (see
Section 6.2.1). This protects the base key in the event that keys derived from
it are later compromised. This is important because often many different keys are
derived using a single base key, hence the impact of subsequently compromising
the base key could be substantial.
There are standards for key derivation. For example, PKCS#5 defines how a
key can be derived from a password or a PIN, which can be regarded as a relatively
insecure type of cryptographic key, but one which is often long term (such as the
PIN associated with a payment card). Key derivation in this case is defined as a
function
f
(
P
,
S
,
C
,
L
), where:
•
f
is a key derivation function that explains how to combine the various inputs
in order to derive a key;
•
P
is the password or PIN;
•
S
is a string of (not necessarily all secret) pseudorandom bits, used to enable
P
to be used to derive many different keys;
