W3C home > Mailing lists > Public > public-webcrypto@w3.org > April 2013

RE: Potential contradiction in HKDF?

From: Acar, Tolga <tolga.acar@intel.com>
Date: Mon, 1 Apr 2013 16:41:52 +0000
To: Richard Barnes <rbarnes@bbn.com>, "public-webcrypto@w3.org Group" <public-webcrypto@w3.org>
Message-ID: <52337C44538F2F4D87D63A3E46538A87016556E4@FMSMSX106.amr.corp.intel.com>
You are not misreading. There is more than one difference between -108 and RFC 5869. In addition to your observation in the innermost loop computation, there are more differences. 
* -108 has a combined KDF whereas RFC5869 has a two-staged extract/expand approach. 
* The key length in the RFC is in number of bytes, while -108 uses bits for length.

- Tolga

> -----Original Message-----
> From: Richard Barnes [mailto:rbarnes@bbn.com]
> Sent: Monday, April 01, 2013 8:18 AM
> To: public-webcrypto@w3.org Group
> Subject: Potential contradiction in HKDF?
> 
> The current description of HKDF says "the algorithm described in RFC 5869
> [RFC5869] and NIST SP 800-56C [SP800-56C], using HMAC in counter mode, as
> described in Section 5.1 of NIST SP 800-108 [SP800-108]."
> 
> However, it appears that the algorithm defined in RFC 5869 is different from
> the algorithm described in Section 5.1 of SP800-108.  To summarize the
> difference:
> 
> RFC 5869:  K(i) := PRF(K_I, K(i-1) || info || i)
> SP800-108: K(i) := PRF(K_I, i || Label || 0x00 || Context || L)
> 
> Am I mis-reading these specs, or do we need to choose one or the other?
> 
> --Richard
Received on Monday, 1 April 2013 16:42:22 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:16 UTC