Skip to content

Commit 57a55c8

Browse files
jedisct1jedisct1
committed
Add a section on key derivation
1 parent 391814e commit 57a55c8

1 file changed

Lines changed: 23 additions & 2 deletions

File tree

draft-denis-ipcrypt.md

Lines changed: 23 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -618,6 +618,29 @@ Implementations MUST ensure that:
618618
3. Side-channel attacks are mitigated through constant-time operations
619619
4. Error handling does not leak sensitive information
620620

621+
## Key Derivation for Multiple Variants
622+
623+
When using multiple encryption variants within the same deployment, implementations MUST derive separate keys for each variant to prevent cross-mode correlations. The RECOMMENDED approach uses HKDF ({{!RFC5869}}) to derive per-variant subkeys from a single master key:
624+
625+
- `K_deterministic = HKDF-Expand(PRK, "ipcrypt-deterministic", 16)`
626+
- `K_pfx = HKDF-Expand(PRK, "ipcrypt-pfx", 32)`
627+
- `K_nd = HKDF-Expand(PRK, "ipcrypt-nd", 16)`
628+
- `K_ndx = HKDF-Expand(PRK, "ipcrypt-ndx", 32)`
629+
630+
Where:
631+
632+
- `PRK = HKDF-Extract(salt, K_master)` is a pseudorandom key derived from the master key
633+
- `K_master` is a uniformly random master key
634+
- `salt` is either empty or a fixed random value for the application
635+
- The strings `"ipcrypt-deterministic"`, etc. are used as the `info` parameter for domain separation
636+
- The third parameter specifies the output length in bytes (16 for single AES keys, 32 for `ipcrypt-pfx` and `ipcrypt-ndx`)
637+
638+
This ensures that:
639+
640+
1. Using the same master key across different variants does not enable cross-variant attacks
641+
2. Key management is simplified by requiring only a single master key
642+
3. Each variant operates with cryptographically independent keys
643+
621644
## Key Management Considerations
622645

623646
Implementers MUST ensure:
@@ -627,8 +650,6 @@ Implementers MUST ensure:
627650
3. Key rotation policies are established based on usage volume and security requirements
628651
4. Key compromise procedures are defined and tested
629652

630-
For high-volume deployments processing billions of IP addresses, regular key rotation (e.g., monthly or quarterly) is RECOMMENDED to stay well within the security bounds discussed in this document.
631-
632653
# Implementation Details {#implementation-details}
633654

634655
This section provides pseudocode and implementation guidance for the operations described in this document.

0 commit comments

Comments
 (0)