W3C home > Mailing lists > Public > public-xmlsec@w3.org > October 2011

RE: How does one specify the Salt/Nonce for ConcatKDF key derivation in XML encryption 1.1

From: Pratik Datta <pratik.datta@oracle.com>
Date: Tue, 4 Oct 2011 11:30:35 -0700 (PDT)
Message-ID: <17008e5d-66a8-4f99-bad6-d2c29ca465c6@default>
To: Magnus Nystrom <mnystrom@microsoft.com>, "XMLSec WG Public List (public-xmlsec@w3.org)" <public-xmlsec@w3.org>
Cc: elaine.barker@nist.gov, llchen@nist.gov
Including Elaine and Lily in the email discussion.


Elaine, Lily
XML Encryption 1.1  references the ConcatKDF key derivation algorithm of NIST SP 800-56A 
See section 5.4.1 http://www.w3.org/TR/xmlenc-core1/#sec-ConcatKDF
and section 5.6.4 http://www.w3.org/TR/xmlenc-core1/#sec-ECDH-ES 


Section 5.6.4 spec says
"When ECDH is used in Ephemeral-Static (ES) mode, the recipient has a static key pair, but the sender generates a ephemeral key pair for each message. The same ephemeral key may be used when there are multiple recipients that use the same curve parameters."


Is it ok to reuse the ephemeral key ?


RFC2631
http://tools.ietf.org/html/rfc2631#section-2.3
says this about DH- Ephemeral-Static mode

In Ephemeral-Static mode, the recipient has a static (and certified)
   key pair, but the sender generates a new key pair for each message
   and sends it using the originatorKey production. If the sender's key
   is freshly generated for each message, the shared secret ZZ will be
   similarly different for each message and partyAInfo MAY be omitted,
   since it serves merely to decouple multiple KEKs generated by the
   same set of pairwise keys. If, however, the same ephemeral sender key
   is used for multiple messages (e.g. it is cached as a performance
   optimization) then a separate partyAInfo MUST be used for each
   message. All implementations of this standard MUST implement
   Ephemeral-Static mode.



Is this advice applicable for ECDH-ES as well?  
I.e. should we recommend people to use partyUInfo and specify a nonce if the ephemeral key is cached and reused?

Is it computationally expensive to generate a new ephemeral key every time? or does caching make sense?





Magnus,
I am not very clear what you mean by "static-static".  In XML Encryption 1.1 we only have "ephemeral-static",  If the ephemeral key is cached , does that make is static-static?


Pratik

-----Original Message-----
From: Magnus Nystrom [mailto:mnystrom@microsoft.com] 
Sent: Monday, October 03, 2011 7:58 PM
To: XMLSec WG Public List (public-xmlsec@w3.org)
Subject: RE: How does one specify the Salt/Nonce for ConcatKDF key derivation in XML encryption 1.1

Responding to myself here, one suggestion that has been made to me off-list is to provide a note on what to do in static-static situations. This may be reasonable and here's a suggestion:

In Section 5.4.1 of XML Encryption 1.1, change:

The AlgorithmID, PartyUInfo, PartyVInfo, SuppPubInfo and SuppPrivInfo attributes are as defined in [SP800-56A]. Their presence is optional but AlgorithmID, PartyVInfo and PartyUInfo must be present for applications that need to comply with [SP800-56A].

To:

The AlgorithmID, PartyUInfo, PartyVInfo, SuppPubInfo and SuppPrivInfo attributes are as defined in [SP800-56A]. Their presence is optional but AlgorithmID, PartyVInfo and PartyUInfo must be present for applications that need to comply with [SP800-56A]. Note: The PartyUInfo component shall include a nonce when ConcatKDF is used in conjunction with a static-static Diffie-Hellman (or static-static ECDH) key agreement scheme; see further [SP800-56A].

-- Magnus

> -----Original Message-----
> From: Magnus Nystrom
> Sent: Tuesday, September 27, 2011 8:44 PM
> To: XMLSec WG Public List (public-xmlsec@w3.org)
> Subject: RE: How does one specify the Salt/Nonce for ConcatKDF key derivation
> in XML encryption 1.1
> 
> Hi Pratik,
> In the case of static-static D-H, the nonce shall be part of the PartyUInfo
> element (see NIST 800-56A: "NonceU shall be in the PartyUInfo subfield of
> OtherInfo"). As we state in the document that these attributes are defined in
> 800-56A, I don't think there's a need to make an update here.
> 
> Best,
> -- Magnus
> 
> > > Resent-From: <public-xmlsec@w3.org>
> > > From: ext Pratik Datta <pratik.datta@oracle.com>
> > > Date: September 19, 2011 4:18:01 PM EDT
> > > To: <public-xmlsec@w3.org>
> > > Subject: How does one specify the Salt/Nonce for ConcatKDF key
> > > derivation in XML encryption 1.1
> > >
> > > I noticed that the Legacy key derivation function has a <KA-Nonce>
> > > element,
> > PBKDF2  has a <Salt> element, but there is nothing equivalent of this
> > for ConcatKDF.
> > > Is the salt supposed to be part of PartyUInfo , PartyVInfo ?
> > >
> > >
> > > The SP800-56A  says this:
> > > ------
> > > 3.2 PartyUInfo: A bit string containing public information that is
> > > required by the application using this KDF to be contributed by
> > > party U to the key derivation process. At a minimum, PartyUInfo
> > > shall include IDU, the identifier of party U. See the notes below.
> > >
> > > 3.3 PartyVInfo: A bit string containing public information that is
> > > required by the application using this KDF to be contributed by
> > > party V to the key derivation process. At a minimum, PartyVInfo
> > > shall include IDV, the identifier of party V. See the notes below.
> > > -----
> > >
> > > I am not very clear from this text whether PartyUInfo is supposed
> > > include
> > some random value.
> > >
> > > Without the salt, the derived key will turn out to be same every time.
> > >
> > >
> > > Pratik
> > >
> >
Received on Tuesday, 4 October 2011 18:31:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 4 October 2011 18:31:27 GMT