Re: [Cfrg] NIST crypto group and HKDF (and therefore TLS 1.3)

[John Bradley <ve7jtb@ve7jtb.com>]

COSE RFC8152 uses RFC5869 HKDF in all of its key aggrement alsgs. eg the
popular alg -25 ECDH-ES + HKDF-256

COSE becoming widely used in many protocols like Fido2/WebAutn.

HKDF not being certifiable by the CMVP would definatly suck for some.

I also mistakenly assumed that it would be certifiable.

John B.

On 5/8/2020 4:21 PM, Salz, Rich wrote:
> If you don’t care about FIPS-140, just delete this message, and avoid the temptation to argue how bad it is.
>
> NIST SP 800-56C (Recommendation for Key-Derivation Methods in Key-Establishment Schemes) is currently a draft in review. The document is at https://csrc.nist.gov/publications/detail/sp/800-56c/rev-2/draft  Email comments can be sent to 800-56C_Comments@nist.gov with a deadline of May 15.  That is not a lot of time.  The NIST crypto group is currently unlikely to include HKDF, which means that TLS 1.3 would not be part of FIPS. The CMVP folks at NIST understand this, and agree that this would be bad; they are looking at adding it, perhaps via an Implementation Guidance update.
>
> If you have a view of HKDF (and perhaps TLS 1.3), I strongly encourage you to comment at the above address.  Please do not comment here. I know that many members of industry and academia have been involved with TLS 1.3, and performed security analysis of it. If you are one of those people, *please* send email and ask the NIST Crypto Team to reconsider.
>
> Thank you.
> 	/r$
>
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg