RE: How does one specify the Salt/Nonce for ConcatKDF key derivation in XML encryption 1.1

Magnus,

In XML encryption 1.1  we are using ephemeral-static D-H,  not static-static D-H.
But the XML encryption spec is saying - "The same ephemeral key may be used when there are multiple recipients that use the same curve parameters"

If the same ephemeral key is used, does that mean we are actually using static-static?

In the NIST 800-56A documentation, I don't see the NonceU  mentioned in case of ephemeral-static.
Pratik

-----Original Message-----
From: Magnus Nystrom [mailto:mnystrom@microsoft.com] 
Sent: Tuesday, September 27, 2011 8:44 PM
To: XMLSec WG Public List (public-xmlsec@w3.org)
Subject: RE: How does one specify the Salt/Nonce for ConcatKDF key derivation in XML encryption 1.1

Hi Pratik,
In the case of static-static D-H, the nonce shall be part of the PartyUInfo element (see NIST 800-56A: "NonceU shall be in the PartyUInfo subfield of OtherInfo"). As we state in the document that these attributes are defined in 800-56A, I don't think there's a need to make an update here.

Best,
-- Magnus

> > Resent-From: <public-xmlsec@w3.org>
> > From: ext Pratik Datta <pratik.datta@oracle.com>
> > Date: September 19, 2011 4:18:01 PM EDT
> > To: <public-xmlsec@w3.org>
> > Subject: How does one specify the Salt/Nonce for ConcatKDF key
> > derivation in XML encryption 1.1
> >
> > I noticed that the Legacy key derivation function has a <KA-Nonce> element,
> PBKDF2  has a <Salt> element, but there is nothing equivalent of this for
> ConcatKDF.
> > Is the salt supposed to be part of PartyUInfo , PartyVInfo ?
> >
> >
> > The SP800-56A  says this:
> > ------
> > 3.2 PartyUInfo: A bit string containing public information that is
> > required by the application using this KDF to be contributed by party
> > U to the key derivation process. At a minimum, PartyUInfo shall
> > include IDU, the identifier of party U. See the notes below.
> >
> > 3.3 PartyVInfo: A bit string containing public information that is
> > required by the application using this KDF to be contributed by party
> > V to the key derivation process. At a minimum, PartyVInfo shall
> > include IDV, the identifier of party V. See the notes below.
> > -----
> >
> > I am not very clear from this text whether PartyUInfo is supposed include
> some random value.
> >
> > Without the salt, the derived key will turn out to be same every time.
> >
> >
> > Pratik
> >
> 

Received on Wednesday, 28 September 2011 18:33:47 UTC