Paul, Thank you very much for the comment. Is it acceptable to use the existing IPsec keys as input to a key derivation function (KDF)? The KDF generates unique authentication keys that are cryptographically linked to the IPsec keys but not directly exposed.
Linda -----Original Message----- From: Paul Wouters <p...@nohats.ca> Sent: Wednesday, July 10, 2024 8:59 AM To: Linda Dunbar <linda.dun...@futurewei.com> Cc: ipsec@ietf.org Subject: Re: [IPsec] Are there any issues of reusing IPsec key for generating Authentication Code? On Tue, 9 Jul 2024, Linda Dunbar wrote: > 1. The IPsec tunnel itself provides a secure channel for transmitting the > authentication keys. This ensures that the keys > are protected from eavesdropping or tampering during distribution. > 2. Reuse the existing IPsec keys as input to a key derivation function > (KDF). The KDF generates unique authentication keys > that are cryptographically linked to the IPsec keys but not directly > exposed. This adds a layer of protection, even if > the IPsec keys are compromised. Re-using keys for different purposes is not recommend on principle. Some certifications (eg FIPS) also forbid dual use of the same key(pair). Paul _______________________________________________ IPsec mailing list -- ipsec@ietf.org To unsubscribe send an email to ipsec-le...@ietf.org
