- From: Jim Schaad <ietf@augustcellars.com>
- Date: Thu, 27 Feb 2014 11:53:06 -0800
- To: "'Mark Watson'" <watsonm@netflix.com>, <public-webcrypto@w3.org>
First, I will note that both of the algorithms do the Key Extraction step. So both of the algorithms will compute PRK = HMAC-HASH(s, ZZ) So that portion of the two algorithms is not any different. I will note that RFC 5869 is complete and has test vectors, however SP800-108 does not specify how the encoding of P is to be done. Thus item such as the length of [L] is not specified by the document. I can implement 5869, I can't do that for SP800-108 without a couple of additional items being specified. You end up needing some additional data such as is provided in section 5.9 of SP 800-56B (ASN.1 or concatenation encoding of the input). Jim From: Mark Watson [mailto:watsonm@netflix.com] Sent: Thursday, February 27, 2014 10:00 AM To: public-webcrypto@w3.org Subject: inconsistent references for HKDF-CTR https://www.w3.org/Bugs/Public/show_bug.cgi?id=24838 HKDF-CTR references RFC5869, NIST SP800-56C and NIST SP800-108. These references specify different algorithms. RFC5869 calculates output keying material as the concatenation of T(i) i=1, ..., N where T(i) = HMAC-Hash(PRK, T(i-1) | info | [i] ) where PRK is a key derived from the base key through an extraction step and [i] is a single octet representation of i. By contrast, SP800-108 calculates the output keying material as the concatenation of K(i) i=1,...,N where K(i) := PRF(KI, [i] || Label || 0x00 || Context || [L] ) where KI is the key derivation key and [L] is the binary representation of the number of output bits. Which reference should we use, or should we support both as separate algorithms ? ...Mark
Received on Thursday, 27 February 2014 19:55:12 UTC