In this exercise, we want to analyze some variants of key derivation. In practice, one masterkey kMK is exchanged in a secure way (e.g. certificate-based DHKE) between the involved parties. Afterwards, the session keys are regularly updated by use of key derivation. For this purpose, three different methods are at our disposal:
where h() marks a (secure) hash function, and ki is the ith session key.
1. What are the main differences between these three methods?
2. Which method provides Perfect Forward Secrecy?
3. Assume Oscar obtains the nth session key (e.g., via brute-force). Which sessions can he now decrypt (depending on the chosen method)?
4. Which method remains secure if the masterkey kMK is compromised? Give a rationale!