W3C home > Mailing lists > Public > public-xmlsec@w3.org > October 2011

Re: How does one specify the Salt/Nonce for ConcatKDF key derivation in XML encryption 1.1

From: <Frederick.Hirsch@nokia.com>
Date: Thu, 6 Oct 2011 17:53:05 +0000
To: <mnystrom@microsoft.com>
CC: <Frederick.Hirsch@nokia.com>, <public-xmlsec@w3.org>
Message-ID: <B7657C40-500C-4B8B-8CEC-BAE25879BE52@nokia.com>
I have updated the XML Encryption 1.1 editors draft with this change as agreed on our last teleconference, see http://lists.w3.org/Archives/Public/public-xmlsec/2011Oct/att-0007/minutes-2011-10-04.html#item05

regards, Frederick

Frederick Hirsch
Nokia



On Oct 3, 2011, at 10:58 PM, ext Magnus Nystrom wrote:

> Responding to myself here, one suggestion that has been made to me off-list is to provide a note on what to do in static-static situations. This may be reasonable and here's a suggestion:
> 
> In Section 5.4.1 of XML Encryption 1.1, change:
> 
> The AlgorithmID, PartyUInfo, PartyVInfo, SuppPubInfo and SuppPrivInfo attributes are as defined in [SP800-56A]. Their presence is optional but AlgorithmID, PartyVInfo and PartyUInfo must be present for applications that need to comply with [SP800-56A].
> 
> To:
> 
> The AlgorithmID, PartyUInfo, PartyVInfo, SuppPubInfo and SuppPrivInfo attributes are as defined in [SP800-56A]. Their presence is optional but AlgorithmID, PartyVInfo and PartyUInfo must be present for applications that need to comply with [SP800-56A]. Note: The PartyUInfo component shall include a nonce when ConcatKDF is used in conjunction with a static-static Diffie-Hellman (or static-static ECDH) key agreement scheme; see further [SP800-56A].
> 
> -- Magnus
> 
>> -----Original Message-----
>> From: Magnus Nystrom
>> Sent: Tuesday, September 27, 2011 8:44 PM
>> To: XMLSec WG Public List (public-xmlsec@w3.org)
>> Subject: RE: How does one specify the Salt/Nonce for ConcatKDF key derivation
>> in XML encryption 1.1
>> 
>> Hi Pratik,
>> In the case of static-static D-H, the nonce shall be part of the PartyUInfo
>> element (see NIST 800-56A: "NonceU shall be in the PartyUInfo subfield of
>> OtherInfo"). As we state in the document that these attributes are defined in
>> 800-56A, I don't think there's a need to make an update here.
>> 
>> Best,
>> -- Magnus
>> 
>>>> Resent-From: <public-xmlsec@w3.org>
>>>> From: ext Pratik Datta <pratik.datta@oracle.com>
>>>> Date: September 19, 2011 4:18:01 PM EDT
>>>> To: <public-xmlsec@w3.org>
>>>> Subject: How does one specify the Salt/Nonce for ConcatKDF key
>>>> derivation in XML encryption 1.1
>>>> 
>>>> I noticed that the Legacy key derivation function has a <KA-Nonce>
>>>> element,
>>> PBKDF2  has a <Salt> element, but there is nothing equivalent of this
>>> for ConcatKDF.
>>>> Is the salt supposed to be part of PartyUInfo , PartyVInfo ?
>>>> 
>>>> 
>>>> The SP800-56A  says this:
>>>> ------
>>>> 3.2 PartyUInfo: A bit string containing public information that is
>>>> required by the application using this KDF to be contributed by
>>>> party U to the key derivation process. At a minimum, PartyUInfo
>>>> shall include IDU, the identifier of party U. See the notes below.
>>>> 
>>>> 3.3 PartyVInfo: A bit string containing public information that is
>>>> required by the application using this KDF to be contributed by
>>>> party V to the key derivation process. At a minimum, PartyVInfo
>>>> shall include IDV, the identifier of party V. See the notes below.
>>>> -----
>>>> 
>>>> I am not very clear from this text whether PartyUInfo is supposed
>>>> include
>>> some random value.
>>>> 
>>>> Without the salt, the derived key will turn out to be same every time.
>>>> 
>>>> 
>>>> Pratik
>>>> 
>>> 
> 
> 
Received on Thursday, 6 October 2011 17:56:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 6 October 2011 17:56:10 GMT