Re: [TLS] [Cfrg] NIST crypto group and HKDF (and therefore TLS 1.3)
"Dang, Quynh H. (Fed)" <quynh.dang@nist.gov> Thu, 14 May 2020 18:19 UTC
Return-Path: <quynh.dang@nist.gov>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 757113A0B0E; Thu, 14 May 2020 11:19:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.263
X-Spam-Level:
X-Spam-Status: No, score=-2.263 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.173, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RKAAw0nnCCwI; Thu, 14 May 2020 11:19:25 -0700 (PDT)
Received: from GCC02-DM3-obe.outbound.protection.outlook.com (mail-dm3gcc02on2122.outbound.protection.outlook.com [40.107.91.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB5C83A0B0B; Thu, 14 May 2020 11:19:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GUwfN20pKQ2iwKrDML+DyCU++o/sQn6f8P+MixChIKzlq6Wn9QupEA6w75/qDc1kG/yp8t5/d6R56F19q+zNukoeWAv0HjbJsNtCbXhR/3AO/czjBtvAaKSLG0kc68C1Fe+lMrom8WoXqhDNgz91+PF6vl5DK6bodJeaNOfYjX1KhucNIoPRdUEVqO48d+I0vEicKwnElhbEB2luZW02nUBCKBUL4YCeq8YPRujY+/21Vlb/dlaJQBnepQEfuo+7+sAJeexj44bP5i1EkA0ydHFQ3JdV5+L2JeGE/LxzdhM0L/pp6yzKaBHNmHkMN28CFM15YQ8uGcLaedYT4H+Sfw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GZaCguLp4DBdnQhsDSqs8AglBxf3WZD1JVN48+vRb04=; b=cO+kSJW2Pug2wdXZ57ahXl2i+XzmaT4CP6kFnTc2J6ySnmxOpqd93mj1GKsnJ9Z9EomWhDOkvVRQGTgqNUQAoEiW8Bglf024WAQye4mmCajAOHao6E7KkRiSZtl6Iw7WT4qurTn+Jzf1F5u5qqR16aTD2s7mxB7jJO++o0hcAxcMAPnfOYTlW7cfP/4vuaWmIzAfcQU/hjrn30be3L8+YRhelPsQilxQOdAquNplFWqQiXi/vGhewXaHPr2rbHtwc+BYwszt0k5kySRnZXYNZm+ocq/y4FS0IBtraZytOiHjvx+buK64oZTY91Q/SSu0miO3PKE2mgPqockGABTEcA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GZaCguLp4DBdnQhsDSqs8AglBxf3WZD1JVN48+vRb04=; b=lSv3U179MuCFZ/Fd8FoFcN0PRWOFMLz3CGlainqzqzttzcm+twN7i4PvWW9fynBjgNysxxAhyzx2mD+QcnGS59phXk9sn6OqCaJLrQOn5y2IHK0Clq5XlMC0V3iiPzc2lFZjpSTeB3XuHeVeKt+SdB3EEokBBFgDVFmXOjwsV3c=
Received: from BY5PR09MB4755.namprd09.prod.outlook.com (2603:10b6:a03:24b::12) by BY5PR09MB4721.namprd09.prod.outlook.com (2603:10b6:a03:245::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3000.20; Thu, 14 May 2020 18:19:22 +0000
Received: from BY5PR09MB4755.namprd09.prod.outlook.com ([fe80::91d8:62e0:40e6:15e]) by BY5PR09MB4755.namprd09.prod.outlook.com ([fe80::91d8:62e0:40e6:15e%2]) with mapi id 15.20.3000.016; Thu, 14 May 2020 18:19:22 +0000
From: "Dang, Quynh H. (Fed)" <quynh.dang@nist.gov>
To: "\"Torsten Schütze\"" <Torsten.Schuetze@gmx.net>
CC: Hugo Krawczyk <hugo@ee.technion.ac.il>, "cfrg@ietf.org" <cfrg@ietf.org>, "tls@ietf.org" <tls@ietf.org>, "rsalz@akamai.com" <rsalz@akamai.com>
Thread-Topic: Re: [Cfrg] NIST crypto group and HKDF (and therefore TLS 1.3)
Thread-Index: AQHWJXY75SUMYNJzo0q8VSbsRy8U7aiiv0STgAClXoCAAPSSAIAAAvp8gAAMr4CAA4BFwQ==
Date: Thu, 14 May 2020 18:19:22 +0000
Message-ID: <BY5PR09MB47556D2B6F5ADEA0F8D72811F3BC0@BY5PR09MB4755.namprd09.prod.outlook.com>
References: <07D37E65-0951-49BB-B86E-BD3167ADB352@akamai.com> <BY5PR09MB4755E58AF9CDF696C0E7F649F3A10@BY5PR09MB4755.namprd09.prod.outlook.com> <CADi0yUMuV0U=YWB2cFMYRsitLHeWEaV2WM9XVTdKqDkOsyvaGA@mail.gmail.com> <trinity-5bbd0a19-0945-419f-a806-5b2757ed2c42-1589283598300@3c-app-gmx-bs46> <BY5PR09MB47550508109A23C190D4326CF3BE0@BY5PR09MB4755.namprd09.prod.outlook.com>, <trinity-363f5b58-667b-4ea0-883e-b8bcb998d051-1589286961057@3c-app-gmx-bap51>
In-Reply-To: <trinity-363f5b58-667b-4ea0-883e-b8bcb998d051-1589286961057@3c-app-gmx-bap51>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmx.net; dkim=none (message not signed) header.d=none;gmx.net; dmarc=none action=none header.from=nist.gov;
x-originating-ip: [132.163.221.88]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: df301a7b-702a-4198-2f67-08d7f833538f
x-ms-traffictypediagnostic: BY5PR09MB4721:
x-ld-processed: 2ab5d82f-d8fa-4797-a93e-054655c61dec,ExtAddr
x-microsoft-antispam-prvs: <BY5PR09MB4721C7507B16047CAE8941F7F3BC0@BY5PR09MB4721.namprd09.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7219;
x-forefront-prvs: 040359335D
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5xOiaLENSQMhpRgHegRQmXSww4qGloP/vrpfCU//wwHQCyIraTM+Id40sn/5SJJaIFgrge33F2YEHdwqMzwErDH6UgulJZaKn2hnLWLtrHo3ThXY0DB7mdUKo1EK8qN1Ngt2YGx1DWsmFNKuKF4PP3IKJ3tPLgjOi8T04dpKBTcTdqydvy/oAb3VRQ4nqqjVN4MHDrMFwWOCEOdTiFcfNF/TH7M1EqhC/0Zt0g5G5NEdzctZuG26Hv3FnN2+rl12wkA8CQS0uW+5qZ1nRjauV7dST0CqWTjqx5hju1T0oJOVUril078d/I3NZKoYe1u41we4MakV8aDG8BhiOGMfGQ463/jShlUgAFJ4LI3vZ3Y8vODaFi1cbuWjqHLeIVDNeUUNr3OFfXe6fIm3HZ53tjEKUebozO1j6bYAPLmK16OPiGTaCn75cFL47vj3nlqRUv5sZlpXKNS/vp5vktQ9tYLk+Ois5KtjkMqwteDagdRGt8eKWaRXVbNAJOyfTtuyIYLy2dWE6fya81EsandVLQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR09MB4755.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(376002)(39860400002)(366004)(346002)(136003)(396003)(6506007)(8936002)(54906003)(186003)(86362001)(26005)(83080400001)(53546011)(5660300002)(7696005)(2906002)(316002)(19627405001)(33656002)(66446008)(478600001)(4326008)(966005)(64756008)(71200400001)(9686003)(66946007)(8676002)(55016002)(91956017)(66476007)(76116006)(6916009)(166002)(66556008)(52536014); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: lx4b5wSfP2RHTfmwMNNlGo3Hi0KSU2fr2RA9eDAreMbZ2vfV6Z4xPErLAsTurlpjofu8qDyTBtaDQv52/2ltJCHmXjHs7s4Lfp3YRd7wuWV/JNF+WnoHUghWJU80nMFNalcIZ8yviwGXFnYerH19Iw549nPBXuGeKOg0hrN4PyFllS+q0iaIqpItKy7FSadu7tZD01o0LVHklK3+qTJiNUwnlI7UnIImo2I8xPbL8QxujTWT7XhDFGJNgtZpLxu0l/VtVC67Kxd9eXIEjFY/eegURTxd2XvS8Bj6Qdz/qyOAPjJRlZAW/rYP35P/W85a4I8exacBAW8VtafeEzO1BL8H1H1KCOjpcNa+a4M8pspMrsM5acnS6OzCVRYCswjEVWYL7NGVLpiUM5zugkgt4kYz7I77QTcVB3ojl4NEV8+9N16L+C8vUquVrM1IhTJX8zI7IM9R1BYAFINtIMiZcecPdQjCexNlZ1eQ4joBMqv3p5oYoSIGIt7+7XNqS0L+
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BY5PR09MB47556D2B6F5ADEA0F8D72811F3BC0BY5PR09MB4755namp_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: df301a7b-702a-4198-2f67-08d7f833538f
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 May 2020 18:19:22.3425 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 12fNjifGaLMZlB2EoAb4SXnUcSXIJgT8/0X3in1OJR+DJGW/oZcmR9gJerFJNs1L
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR09MB4721
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ZXTaAnbwSmV-Cfh2J8KlyWnDhaU>
Subject: Re: [TLS] [Cfrg] NIST crypto group and HKDF (and therefore TLS 1.3)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2020 18:19:29 -0000
Hi Torsten, The HKDF is one of the approved KDFs for being used together with an approved key exchange as specified in 56C. At this moment, a standalone HKDF is not approved yet. Draft version 2 of SP 800-133 (Section 6.3, item# 3: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2-draft.pdf )specifies an option for a HKDF's extraction step when the IKM is a shared secret generated from a NIST's approved random bit generator in SP 800-90 series (like external pre-shared key in TLS 1.3) or when the IKM is a pseudorandom key derived from a previous approved key exchange (like a resumption in TLS 1.3). Recommendation for Cryptographic Key Generation<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2-draft.pdf> Draft NIST Special Publication 800-133 . Revision 2. Recommendation for Cryptographic Key Generation. Elaine Barker . Allen Roginsky . Richard Davis . This publication is available free of charge from: nvlpubs.nist.gov When/if that extraction step option is officially approved, meaning the current NIST's approved HKDFs in key exchanges in SP 800-56C would become NIST-approved standalone HKDFs, we'll publish their test vectors. Regards, Quynh. ________________________________ From: "Torsten Schütze" <Torsten.Schuetze@gmx.net> Sent: Tuesday, May 12, 2020 8:36 AM To: Dang, Quynh H. (Fed) <quynh.dang@nist.gov> Cc: Hugo Krawczyk <hugo@ee.technion.ac.il>; cfrg@ietf.org <cfrg@ietf.org>; tls@ietf.org <tls@ietf.org>; rsalz@akamai.com <rsalz@akamai.com> Subject: Aw: Re: [Cfrg] NIST crypto group and HKDF (and therefore TLS 1.3) Hi Quynh, thank you for your quick response. I knew that omitting some fields was allowed, but not that permutations are allowed, too. Okay, this makes HKDF RFC 5869 definitely to a NIST SP800-56C rev 2 compliant KDF. But what to do about the CAVP tests or approved test vectors. Couldn't NIST provide for the very often used RFC 5869 HKDF approved test vectors? I coulnd't find any. Only for some older, application specific KDFs. Of course, I can generate them by myself with an independent implementation, but I'm talking about evaluation/approval business here. Regards Torsten
- [TLS] NIST crypto group and HKDF (and therefore T… Salz, Rich
- Re: [TLS] NIST crypto group and HKDF (and therefo… Dan Brown
- Re: [TLS] NIST crypto group and HKDF (and therefo… Salz, Rich
- Re: [TLS] NIST crypto group and HKDF (and therefo… Dan Brown
- Re: [TLS] NIST crypto group and HKDF (and therefo… Sam Whited
- Re: [TLS] [Cfrg] NIST crypto group and HKDF (and … Yevgeniy Dodis
- Re: [TLS] NIST crypto group and HKDF (and therefo… Salz, Rich
- Re: [TLS] NIST crypto group and HKDF (and therefo… Watson Ladd
- Re: [TLS] NIST crypto group and HKDF (and therefo… Sean Turner
- Re: [TLS] NIST crypto group and HKDF (and therefo… Dang, Quynh H. (Fed)
- Re: [TLS] [Cfrg] NIST crypto group and HKDF (and … Phillip Hallam-Baker
- Re: [TLS] [Cfrg] NIST crypto group and HKDF (and … Hugo Krawczyk
- Re: [TLS] [Cfrg] NIST crypto group and HKDF (and … Hugo Krawczyk
- Re: [TLS] [Cfrg] NIST crypto group and HKDF (and … Phillip Hallam-Baker
- Re: [TLS] [Cfrg] NIST crypto group and HKDF (and … "Torsten Schütze"
- Re: [TLS] [Cfrg] NIST crypto group and HKDF (and … Dang, Quynh H. (Fed)
- Re: [TLS] [Cfrg] NIST crypto group and HKDF (and … "Torsten Schütze"
- Re: [TLS] [Cfrg] NIST crypto group and HKDF (and … Dan Brown
- Re: [TLS] [Cfrg] NIST crypto group and HKDF (and … Phillip Hallam-Baker
- Re: [TLS] [Cfrg] NIST crypto group and HKDF (and … Hugo Krawczyk
- Re: [TLS] [Cfrg] NIST crypto group and HKDF (and … Dang, Quynh H. (Fed)