Re: Using MGF1 for key generation
Date: 08/02/05

Date: 2 Aug 2005 00:44:40 -0700

Again I would like to thank everybody for providing me with useful

I would like to return to the issue of key generation from seed, I was
talking about MGF1 before and it's restriction to 160 bits strength. I
have looked around some more and encountered the key generation
mechanism that is used in SSL.

In SSL a 48 bytes seed (pre master secret) is used to create the master
secret that is later used for key generation, the process is: (the
pre_master_secret is sent encrypted on the network, the
ClientHello.random & ServerHello.random are 28 bytes each and are sent
in plain).

master_secret =
        MD5(pre_master_secret + SHA('A' + pre_master_secret +
            ClientHello.random + ServerHello.random)) +
        MD5(pre_master_secret + SHA('BB' + pre_master_secret +
            ClientHello.random + ServerHello.random)) +
        MD5(pre_master_secret + SHA('CCC' + pre_master_secret +
            ClientHello.random + ServerHello.random));

key_block =
        MD5(master_secret + SHA('A' + master_secret +
ServerHello.random +
            ClientHello.random)) +
        MD5(master_secret + SHA('BB' + master_secret +
ServerHello.random +
            ClientHello.random)) +
        MD5(master_secret + SHA('CCC' + master_secret +
ServerHello.random +
            ClientHello.random)) + [...];

If we would look aside to the fact that using MD5 and SHA1 might not be
the best idea and new hash algorithms are better then this procedure
looks better then MGF1 for key generation (at least looks better to
me...) can anyone give me his opinion about this? Can anyone explain
why MGF1 might be preferable?


Hagai Yaffe.