RE: Definition of KDF3 from Kelvin Yiu on 2009-07-13 (public-xmlsec@w3.org from July 2009)

From: Kelvin Yiu <kelviny@exchange.microsoft.com>
Date: Mon, 13 Jul 2009 12:30:03 -0700
To: Magnus Nyström <magnus@rsa.com>
CC: XMLSec WG Public List <public-xmlsec@w3.org>
Message-ID: <EF8BB8116404AE42A67EF8BECBC1448703D76917C6@DF-POINTER-MSG.exchange.corp.microso>

The guidance we received a couple of years ago was that NIST specifically wanted the OtherInfo string in the SP800-56A KDF to be structured as described in sections 5.8.1 and 5.8.2. Basically the KDF cannot just expose OtherInfo as input - you had to expose the components (AlgorithmID, PartyUInfo, PartyVInfo, SuppPubInfo, and SuppPrivInfo) directly as input parameters. Otherwise the KDF would not be considered FIPS compliant. 

Hence, I recommend that we differentiate between the 56A KDF and KDF3 by using a different name. 

Kelvin

-----Original Message-----
From: Magnus Nyström [mailto:magnus@rsa.com] 
Sent: Monday, July 13, 2009 6:50 AM
To: Kelvin Yiu
Cc: XMLSec WG Public List
Subject: Re: Definition of KDF3

Hi Kelvin,

Do you have access to X9.44-2007? KDF2 and KDF3 are in there too. Note also the text in X9.44:

> KDF2 and KDF3 are key derivation functions based on a hash function 
> (see Section 8.5). The lengths of the shared secret value and the 
> other information in KDF2 are both variable.
> 
> NOTE: KDF2 is equivalent to the function of the same name defined in 
> IEEE Std 1363-2004 [50], the "key derivation function based on 
> concatenation" in ANS X9.42 [4] and the key derivation function in ANS
> X9.63 [8]. KDF3 is aligned with the requirements in clause 5.8 of NIST 
> Special Publication 800-56 [78]. The only difference between KDF2 and
> KDF3 is the order of the components to be hashed.  KDF2 calculates T as: 
> T || Hash (Z || D || otherInfo) while KDF3 calculates T as : T || Hash 
> (D || Z || otherInfo).

-- Magnus

On Mon, 6 Jul 2009, Kelvin Yiu wrote:

> Magnus,
>
> Brian and I found a description for KDF3 (on a site that reference
> ISO-18033-2) where the definition is different than the KDF specified 
> in SP800-56A. The site does have a link to a near final draft of ISO 
> 18033-2, but that draft does not include any mention of KDF3.
>
> Since I don't have access to the final version ISO-18033-2 and cannot 
> find an official definition for KDF3, can you provide the official 
> definition for KDF3? I just wanted to make sure we are not confusing 
> implementers by using the name KDF3 in XMLEnc.

Received on Monday, 13 July 2009 19:32:13 UTC