Cryptography Reference
In-Depth Information
Key Derivation with Nonces
Alice
Bob
generate nonce
r
r
←−−−−−−−−−−
derive key
derive key
k
ses
=
e
k
AB
(
r
)
k
ses
=
e
k
AB
(
r
)
An alternative to encrypting the nonce is hashing it together with
k
AB
.Oneway
of achieving this is that both parties perform a HMAC computation with the nonce
serving as the “message”:
k
ses
=
HMAC
k
AB
(
r
)
Rather than sending a nonce, Alice and Bob can also simply encrypt a counter
cnt
periodically, where the ciphertext again forms the session key:
k
ses
=
e
k
AB
(
cnt
)
or compute the HMAC of the counter:
k
ses
=
HMAC
k
AB
(
cnt
)
Using a counter can save Alice and Bob one communication session because, unlike
the case of the nonce-based key derivation, no value needs to be transmitted. How-
ever, this holds only if both parties know exactly when the next key derivation needs
to take place. Otherwise, a counter synchronization message might be required.
13.1.3 The
n
2
Key Distribution Problem
Until now we mainly assumed that the necessary keys for symmetric algorithms
are distributed via a “secure channel”, as depicted in the beginning of this topic in
Fig. 1.5. Distributing keys this way is sometimes referred to as
key predistribution
or
out-of-band transmission
since it typically involves a different mode (or band)
of communication, e.g., the key is transmitted via a phone line or in a letter. Even
though this seems somewhat clumsy, it can be a useful approach in certain practical
situations, especially if the number of communicating parties is not too large. How-
ever, key predistribution quickly reaches its limits even if the number of entities in a
network is only moderately large. This leads to the well-known
n
2
key distribution
problem.
We assume a network with
n
users, where every party is capable of communi-
cating with every other one in a secure fashion, i.e., if Alice wants to communicate
with Bob, these two share a secret key
k
AB
which is only known to them but not to
