Re: Comments on RSA-PSS - March 7 Editors Draft from Mark Watson on 2014-03-07 (public-webcrypto@w3.org from March 2014)

From: Mark Watson <watsonm@netflix.com>
Date: Fri, 7 Mar 2014 12:32:55 -0800
To: Jim Schaad <ietf@augustcellars.com>
Cc: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <CAEnTvdAU0M6iRVWZajw=x-eOC7FDv0ftPVLD2VbQqp8D+=-gmw@mail.gmail.com>

On Fri, Mar 7, 2014 at 11:15 AM, Jim Schaad <ietf@augustcellars.com> wrote:

> 1.  It should be noted that RFC 4055 from the PKIX group makes the
> parameters field optional for id-RSASSA-PSS.  This means that depending on
> the standard used, these fields may be absent when importing the key.
>
> 2.  What happened to the deriveKey descriptions.  I would like to point out
> that Microsoft using CNG does not have the ability to get to the secret
> value from aa DH key agreement operation.  They will be completely unable
> to
> implement the current specification using their current code.
>

I don't believe that's correct.

The deriveKey method is still present and has the same external behavior as
always, so if they could implement it before they can implement it now
(which I believe they can).

The deriveKey method is calls three algorithm-specific operations in
sequence:
(1) call the "get length" operation of the derived key algorithm to get the
required key length from the derivedKeyType parameter
(2) call the "derive bits" operation of the key derivation algorithm to
derive the key data (and adapt it to the required length)
(3) call the "import key" operation of the derived key algorithm to import
the key

But you're not required to implement it exactly this way so long as the
externally visible behavior is identical.

I took this approach because the alternative of keeping separate deriveKey
*operations* would result in awkward cross-algorithm references for steps
(1) and (3). Step (1) is needed because the way the required key length is
identified is dependent on the target derived key algorithm. For example,
HMAC defaults to the block size of the hash being used. We need to call
target-derived-key-algorithm-specific procedures to identify this length.

Target derived key algorithms that can support arbitrary length input -
specifically the KDFs - return null to step (1) and then get as many bits
as the key derivation algorithm (e.g. DH) will give them.

...Mark

>
> Jim
>
>
>
>

Received on Friday, 7 March 2014 20:33:23 UTC