Add support for KDFs based on SP 800-108 recommendations#123
Add support for KDFs based on SP 800-108 recommendations#123athoelke merged 6 commits intoARM-software:mainfrom
Conversation
athoelke
added
enhancement
athoelke
force-pushed
the
crypto-kdf-sp800-108
branch
from
bd4acfd to
e1d4c92
Compare
|
Rebased to merge with changes from #91, and added cross-references from the key types to the new algorithms |
athoelke
force-pushed
the
crypto-kdf-sp800-108
branch
from
e1d4c92 to
8cd43ae
Compare
|
@athoelke Do you think that it has value to provide a reference implementation of these new algorithms using the PSA crypto MAC APIS? These can can be used to generate test vectors which future implementations can use to verify that they follow the algorithm as we intend it to be followed. I think that it is a good idea to have them, if you agree let me know what is the most suitable place to put them and I can provide the code for them. |
|
@Vge0rge We will implement this KDF in Mbed TLS, likely in our next release, so that can serve as sample code. With respect to test vectors, we'll likely generate our test data with Cryptodome. |
|
Cryptodome cannot be used to generate test vectors for PSA_ALG_SP800_108_COUNTER_CMAC because it implements the standard version, not the ‘robust’ variant suggested in these PR. The same holds for OpenSSL. |
I guess it would be possible to use CMAC-AES in Cryptodome to construct the CMAC-based KDF defined here, in order to create test vectors; as the SP800-108 Counter KDF support in Cryptodome uses a different construction? However, I think a reference would be valuable. Whether for constructing or validating text vectors, or just helping to illustrate the construction defined in the Crypto API.
My suggestion for hosting such examples would be to place it in a new containing a readme.md to briefly describe the example, and any source files? |
|
Sounds reasonable to me, I will arrange this soon then. |
gilles-peskine-arm
left a comment
gilles-peskine-arm
left a comment
There was a problem hiding this comment.
A few local remarks, other than that LGTM.
athoelke
force-pushed
the
crypto-kdf-sp800-108
branch
from
f718c56 to
6b4ec8c
Compare
athoelke
dismissed
gilles-peskine-arm’s stale review
Reviewer is happy to proceed once comments addressed
Is this available in any Mbed TLS released version at the moment? If not, is it being worked on currently? |
6 participants
Define algorithm identifiers for HMAC and CMAC variants of a counter-mode KDF that follows the construction recommended by NIST SP 800-108r1.
As the specification defines a general construction, the Crypto API specification provides a precise definition, to ensure compatibility between different implementations. See #106 for the enhancement request, and discussion.
Fixes #106