inconsistent references for HKDF-CTR from Mark Watson on 2014-02-27 (public-webcrypto@w3.org from February 2014)

From: Mark Watson <watsonm@netflix.com>
Date: Thu, 27 Feb 2014 09:59:59 -0800
To: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <CAEnTvdCPpXLp_7HqygubCwUkTcSN_3rqH00045HxTshoZ1K2wg@mail.gmail.com>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=24838

HKDF-CTR references RFC5869, NIST SP800-56C and NIST SP800-108.

These references specify different algorithms.

RFC5869 calculates output keying material as the concatenation of T(i)
i=1, ..., N where T(i) = HMAC-Hash(PRK, T(i-1) | info | [i] ) where
PRK is a key derived from the base key through an extraction step and
[i] is a single octet representation of i.

By contrast, SP800-108 calculates the output keying material as the
concatenation of K(i) i=1,...,N where K(i) := PRF(KI, [i] || Label ||
0x00 || Context || [L] ) where KI is the key derivation key and [L] is
the binary representation of the number of output bits.

Which reference should we use, or should we support both as separate
algorithms ?

...Mark

Received on Thursday, 27 February 2014 18:00:27 UTC