Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
March, 2007<br />
protected in the event that a key is compromised. However, future keys are not protected. After a<br />
limited number of updates, new keying material shall be established by employing a fresh re-key<br />
operation (see Section 8.2.3.1). Key update is often used to limit the amount of data protected by<br />
a single key, but it shall not be used to replace a compromised key.<br />
8.2.4 Key Derivation Function<br />
Symmetric and private cryptographic keys may be derived from other secret values, sometimes<br />
called master keys. The secret values and possibly other information are input into a function that<br />
outputs one or more derived keys. In contrast to key change, the derived keys are often used for<br />
new purposes, rather than for replacing the secret values from which they are derived. The<br />
derivation function shall be a non-reversible function so that the secret values cannot be<br />
determined from the derived keys. In addition, it shall not be possible to determine a derived key<br />
from other derived keys. It should be noted that the strength of the derived key is no greater than<br />
the strength of the derivation algorithm and the secret values from which the key is derived.<br />
Four key derivation cases are discussed below.<br />
1. Two parties derive common keys from a common shared secret. This approach is used in<br />
the key agreement techniques specified in [SP800-56]. The security of this process is<br />
dependent on the security of the shared secret and the specific key derivation function<br />
used. If the shared secret is known, the derived keys may be determined. A key derivation<br />
function specified in [SP800-56] shall be used for this purpose. These derived keys may<br />
be used to provide the same confidentiality, authentication, and data integrity services as<br />
randomly generated keys<br />
2. Individual entity keys are derived from a master key. This is often accomplished by using<br />
the master key, entity ID, and other known information as input to a function that<br />
generates the entity keys. The security of this process depends upon the security of the<br />
master key and the key derivation function. If one of the entities knows the master key,<br />
the other entity keys may all be generated. Therefore, keys derived from a master key are<br />
only as secure as the master key itself. As long as the master key is kept secret, these keys<br />
may be used in the same manner as randomly generated keys.<br />
3. The individual entity key is derived from a master key and the entity password. These<br />
secret values are input to the key derivation function along with other known information.<br />
The security of a derived entity key is dependent upon the security of the master key, the<br />
security of the password, and the strength of the key derivation process. This form of key<br />
derivation is often used to add the entity authentication service to the derived keys. As<br />
long as the secret inputs are kept secret, these keys may be used in the same manner as<br />
randomly generated keys. The strength of the authentication service is only as strong as<br />
the security provided by the password.<br />
4. The individual entity key is derived from the entity password 29 . This is accomplished<br />
using a password, entity ID, and other known information as input to the key derivation<br />
function. This technique differs from previous technique 3 since no master key is used.<br />
Therefore, the security of the process depends solely upon the security of the password<br />
29 This technique is used in RSA PKCS #5.<br />
107