RE: How does one specify the Salt/Nonce for ConcatKDF key derivation in XML encryption 1.1 from Magnus Nystrom on 2011-10-04 (public-xmlsec@w3.org from October 2011)

From: Magnus Nystrom <mnystrom@microsoft.com>
Date: Tue, 4 Oct 2011 02:58:09 +0000
To: "XMLSec WG Public List (public-xmlsec@w3.org)" <public-xmlsec@w3.org>
Message-ID: <D744D68428430B4F9C81DE8A4D5950681217D074@TK5EX14MBXW603.wingroup.windeploy.ntde>

Responding to myself here, one suggestion that has been made to me off-list is to provide a note on what to do in static-static situations. This may be reasonable and here's a suggestion:

In Section 5.4.1 of XML Encryption 1.1, change:

The AlgorithmID, PartyUInfo, PartyVInfo, SuppPubInfo and SuppPrivInfo attributes are as defined in [SP800-56A]. Their presence is optional but AlgorithmID, PartyVInfo and PartyUInfo must be present for applications that need to comply with [SP800-56A].

To:

The AlgorithmID, PartyUInfo, PartyVInfo, SuppPubInfo and SuppPrivInfo attributes are as defined in [SP800-56A]. Their presence is optional but AlgorithmID, PartyVInfo and PartyUInfo must be present for applications that need to comply with [SP800-56A]. Note: The PartyUInfo component shall include a nonce when ConcatKDF is used in conjunction with a static-static Diffie-Hellman (or static-static ECDH) key agreement scheme; see further [SP800-56A].

-- Magnus

> -----Original Message-----
> From: Magnus Nystrom
> Sent: Tuesday, September 27, 2011 8:44 PM
> To: XMLSec WG Public List (public-xmlsec@w3.org)
> Subject: RE: How does one specify the Salt/Nonce for ConcatKDF key derivation
> in XML encryption 1.1
> 
> Hi Pratik,
> In the case of static-static D-H, the nonce shall be part of the PartyUInfo
> element (see NIST 800-56A: "NonceU shall be in the PartyUInfo subfield of
> OtherInfo"). As we state in the document that these attributes are defined in
> 800-56A, I don't think there's a need to make an update here.
> 
> Best,
> -- Magnus
> 
> > > Resent-From: <public-xmlsec@w3.org>
> > > From: ext Pratik Datta <pratik.datta@oracle.com>
> > > Date: September 19, 2011 4:18:01 PM EDT
> > > To: <public-xmlsec@w3.org>
> > > Subject: How does one specify the Salt/Nonce for ConcatKDF key
> > > derivation in XML encryption 1.1
> > >
> > > I noticed that the Legacy key derivation function has a <KA-Nonce>
> > > element,
> > PBKDF2  has a <Salt> element, but there is nothing equivalent of this
> > for ConcatKDF.
> > > Is the salt supposed to be part of PartyUInfo , PartyVInfo ?
> > >
> > >
> > > The SP800-56A  says this:
> > > ------
> > > 3.2 PartyUInfo: A bit string containing public information that is
> > > required by the application using this KDF to be contributed by
> > > party U to the key derivation process. At a minimum, PartyUInfo
> > > shall include IDU, the identifier of party U. See the notes below.
> > >
> > > 3.3 PartyVInfo: A bit string containing public information that is
> > > required by the application using this KDF to be contributed by
> > > party V to the key derivation process. At a minimum, PartyVInfo
> > > shall include IDV, the identifier of party V. See the notes below.
> > > -----
> > >
> > > I am not very clear from this text whether PartyUInfo is supposed
> > > include
> > some random value.
> > >
> > > Without the salt, the derived key will turn out to be same every time.
> > >
> > >
> > > Pratik
> > >
> >

Received on Tuesday, 4 October 2011 02:58:40 UTC