- From: Ryan Sleevi <sleevi@google.com>
- Date: Wed, 31 Oct 2012 14:25:05 -0700
- To: Axel Nennker <ignisvulpis@gmail.com>
- Cc: Wan-Teh Chang <wtc@google.com>, Michael.Jones@microsoft.com, Axel.Nennker@telekom.de, public-webcrypto@w3.org
- Message-ID: <CACvaWvbn-a=_Njz2QrMA6F3X0rdJuL=Pqy0sd6JT2amwo7qE3g@mail.gmail.com>
I don't think it's a fair contrast. Historically, KDFs have generally been about the combination of low-level primitives in "acceptable" forms, rather than being considered a low-level primitive themselves. That is, they are, at best, high-level syntactic sugar. The blessing by NIST (finally!) actually provides incentive and benefit for cryptographic libraries, particularly those concerned with FIPS 140-2/defined security boundaries, to treat the KDFs as low-level primitives. The ones most likely to be implemented are thus the ones recommended by NIST (since NIST cares about such things), and so the best hope for *future* implementations (which will eventually exist) is to use HKDF/Concat. If you're talking about "how easy is it for an application developer to implement", PBKDF2/HKDF/Concat are more or less the same. But they have different security properties, and like Mike said, the latter algorithms make more sense (albiet with the need to address the various oddities with how JOSE currently incorrectly uses Concat) On Wed, Oct 31, 2012 at 2:15 PM, Axel Nennker <ignisvulpis@gmail.com> wrote: > I think we need a table with the same platform as in Mike's table that > started this discussion with KDFs that actually have implementations. > Specification in RFCs or blessing by NIST does not count. Implementations > rule. > > Usage Param Name Param Val Description .NET Windows native OS X iOS Java > JCA BouncyCastle Android PHP PHPSecLib Python M2Crypto PyCrypto Ruby > OpenSSL node.js NSS > JWE kdf CS256 Concat Key Derivation Function (KDF) NO Win7 > NO NO NO NO NO NO NO NO NO NO NO JWE kdf CS384 Concat Key Derivation > Function (KDF) NO Win7 NO NO NO NO NO NO NO NO NO NO NO JWE kdf > CS512 Concat Key Derivation Function (KDF) NO Win7 NO NO NO NO NO NO > NO NO NO NO NO > > Axel > > > 2012/10/31 Wan-Teh Chang <wtc@google.com> > >> On Mon, Oct 29, 2012 at 4:23 PM, Ryan Sleevi <sleevi@google.com> wrote: >> > >> > However, as an NSS developer, I do not see your presented argument as a >> > reason not to use Concat-KDF, and Concat-KDF would be more preferable, >> as a >> > NIST-blessed KDF, since NSS cares especially for NIST-blessed >> algorithms. >> >> I think HKDF (hash-based key derivation function) is also worth >> considering. >> It is specified in RFC 5869 and is also blessed by NIST in SP 800-56C. >> >> Wan-Teh >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose >> > >
Received on Wednesday, 31 October 2012 21:25:33 UTC