The problem with using a known key is that the function is invertable. The KDF doesn't work unless you can't invert it.
See: http://tools.ietf.org/html/draft-dang-nistkdf Sounds like we should talk to our new A-D, since he's a coauthor on the document from NIST. -- t. charles clancy, ph.d. <> [EMAIL PROTECTED] <> www.cs.umd.edu/~clancy On Sun, March 18, 2007 1:52 pm, Jouni Malinen wrote: > On Sun, Mar 18, 2007 at 01:24:20PM -0400, Charles Clancy wrote: >> The problem is that the new KDF construction uses hashes instead of >> MACs. > > Would use of CMAC with zero-key be acceptable to generate a hash > function for a KDF? Is there any publicly available document describing > why hashes should be used instead of MACs? I've only seen a comment > saying that this is because NIST says so for this particular > construction, but I have not seen any more details. > > Getting more details on this would be interesting for other reasons, > too, since there are new designs (e.g., IEEE 802.11r) which are using > HMAC-SHA256 -based KDF. Since the 802.11r KDF construction is also > claimed to be compliant to NIST recommendations, it is somewhat odd to > see EAP-GPSK take the other direction with the reasoning that this came > from NIST.. > > -- > Jouni Malinen PGP id EFC895FA > _______________________________________________ Emu mailing list Emu@ietf.org https://www1.ietf.org/mailman/listinfo/emu