Cryptography Reference
In-Depth Information
•
C
is an iteration counter that specifies the number of 'rounds' to compute (just
as discussed for a block cipher in Section 4.4.1, this can be used to tradeoff
security against efficiency of the key derivation);
•
L
is the length of the derived key.
Obviously, the benefits of key derivation come at the cost of an increased impact
in the event that a base key becomes compromised. This is just the latest of the
many efficiency-security tradeoffs that we have encountered.
In Section 10.4.2 we will see another variation of this idea, where keys are
derived from old keys and additional data.
10.3.3
Key generation from components
Direct key generation and key derivation are both processes that can be performed
if one entity can be trusted to have full control of a particular key generation
process. In many situations this is an entirely reasonable assumption.
However, for extremely important secret keys it may not be desirable to
trust one entity with key generation. In such cases we need to distribute
the key generation process amongst a group of entities in such a way that
no members of the group individually have control over the process, but
collectively they do. One technique for facilitating this is to generate a key in
component form
. We illustrate this by considering a simple scenario involving
three entities: Alice, Bob and Charlie. Assume that we wish to generate a
128-bit key:
1. Alice, Bob and Charlie each randomly generate a
component
of 128 bits. This
component is itself a sort of key, so any direct key generation mechanism
could be used to generate it. However, given that key generation based on
component form is only likely to be used for sensitive keys, the generation
of components should be performed as securely as possible. We denote the
resulting components by
K
A
,
K
B
and
K
C
, respectively.
2. Alice, Bob and Charlie securely transfer their components to a secure
combiner
.
In most applications this combiner will be represented by a hardware
security module (see Section 10.5.3). In many cases the 'secure transfer' of
these components will be by manual delivery. For some large international
organisations, this might even involve several of the components being
physically flown across the world. The input of the components to the secure
combiner is normally conducted according to a strict protocol that takes the
form of a
key ceremony
(see Section 10.7.2).
3. The secure combiner derives a key
K
from the separate components. In this
example, the best derivation function is XOR. In other words:
K
=
K
A
⊕
K
B
⊕
K
C
.