16

It's still common to come across implementations of KDF1 and KDF2. Basically these are KDF's that simply derive multiple keys from the key seed and a counter:

$K_i = \operatorname{KDF}(K_{master}, i) = \operatorname{H}(K_{master} | c)$

In this function $|$ means concatenation and $c$ is the encoded value of $i$ in 4 bytes using an unsigned big endian notation. KDF1 and 2 only differ with regards to the starting value of $i$.

The issue with the KDF is that a hash is not necessarily a PRF. Actually, I've only seen MD5, SHA-1 or SHA-256 being deployed.

Are there any particular attack vectors that can be used against this construction? Is there any practical/pressing need to switch to HKDF or a NIST SP 800-108 approved hashing algorithm or are the concerns purely theoretical of nature?

Please note: above only shows KDF1/2 in their least complex form, using only a single output block and with an empty $OtherInfo$.

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323

1 Answers1

9

As far as I know (which, admittedly, might be limited; I do not claim to possess encyclopedic knowledge of attacks on KDFs), there are no known practical attacks against KDF1 or KDF2 (which are also mentioned on this page, following ISO-18033-2) when instantiated with a secure hash function.

Regarding the relative security of these KDFs vs. HMAC-based KDFs like HKDF, it's worth noting that the HMAC security proof is based on the assumption that the compression function of the underlying hash is itself a PRF. Therefore, when used with any hash function to which the standard HMAC security proof applies, it seems that KDF1 / KDF2 should also be provably secure, at least as long as the master key length equals (or is padded to) the input block size of the hash.

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
Ilmari Karonen
  • 46,700
  • 5
  • 112
  • 189