KDF proposal draft 1, 23 March 2016. This proposal takes into account the new definitions for SHA-3.
Add to section 1.3 Normative References
[FIPS SP 800-56A] NIST. Special Publication 800-56A Revision 2: Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, May 2013.
URL: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdf
Modify section 2.3.8 as follows
• CK_EC_KDF_TYPE, CK_EC_KDF_TYPE_PTR
CK_EC_KDF_TYPE is used to indicate the Key Derivation Function (KDF) applied to derive keying data from a shared secret. The key derivation function will be used by the EC key agreement schemes. It is defined as follows:
typedef CK_ULONG CK_EC_KDF_TYPE;
The following table lists the defined functions.
Table 1, EC: Key Derivation Functions
Source Identifier |
CKD_NULL |
CKD_SHA1_KDF |
CKD_SHA224_KDF |
CKD_SHA256_KDF |
CKD_SHA384_KDF |
CKD_SHA512_KDF |
CKD_SHA3_224_KDF |
CKD_SHA3_256_KDF |
CKD_SHA3_384_KDF |
CKD_SHA3_512_KDF |
CKD_SHA1_KDF_SP800 |
CKD_SHA224_KDF_SP800 |
CKD_SHA256_KDF_SP800 |
CKD_SHA384_KDF_SP800 |
CKD_SHA512_KDF_SP800 |
CKD_SHA3_224_KDF_SP800 |
CKD_SHA3_256_KDF_SP800 |
CKD_SHA3_384_KDF_SP800 |
CKD_SHA3_512_KDF_SP800 |
The key derivation function CKD_NULL produces a raw shared secret value without applying any key derivation function. whereas tThe key derivation functions CKD_[SHA1|SHA224|SHA384|SHA512|SHA3_224|SHA3_256|SHA3_384|SHA3_512]_KDF, which areis based on SHA-1, SHA-224, SHA-384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512 respectively, derives keying data from the shared secret value as defined in [ANSI X9.63]. The key derivation functions CKD_[SHA1|SHA224|SHA384|SHA512|SHA3_224|SHA3_256|SHA3_384|SHA3_512]_KDF_SP800, which are based on SHA-1, SHA-224, SHA-384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512 respectively, derive keying data from the shared secret value as defined in [FIPS SP800-56A] section 5.8.1.1.
CK_EC_KDF_TYPE_PTR is a pointer to a CK_EC_KDF_TYPE.
CK_ECD CK_ECD CK_ECMQV_DERIVE_PARAMS;
The fields of the structure have the following meanings:
kdf key derivation function used on the shared secret value
ulSharedDataLen the length in bytes of the shared info
pSharedData some data shared between the two parties
ulPublicDataLen the length in bytes of the other party’s first EC public key
pPublicData pointer to other party’s first EC public key value. Encoding rules are as per pPublicData of CK_ECDH1_DERIVE_PARAMS
ulPrivateDataLen the length in bytes of the second EC private key
hPrivateData key handle for second EC private key value
ulPublicDataLen2 the length in bytes of the other party’s second EC public key
pPublicData2 pointer to other party’s second EC public key value. Encoding rules are as per pPublicData of CK_ECDH1_DERIVE_PARAMS
publicKey Handle to the first party’s ephemeral public key
With the key derivation function CKD_NULL, pSharedData must be NULL and ulSharedDataLen must be zero. With the key derivation functions CKD_[SHA1|SHA224|SHA384|SHA512|SHA3_224|SHA3_256|SHA3_384|SHA3_512]_KDF, CKD_[SHA1|SHA224|SHA384|SHA512|SHA3_224|SHA3_256|SHA3_384|SHA3_512]_KDF_SP800, an optional pSharedData may be supplied, which consists of some data shared by the two parties intending to share the shared secret. Otherwise, pSharedData must be NULL and ulSharedDataLen must be zero.
CK_ECMQV_DERIVE_PARAMS_PTR is a pointer to a CK_ECMQV_DERIVE_PARAMS.
Header file changes: Add the following to pkcs11t.h under
/* The following X9.42 DH key derivation functions are defined */
#define CKD_SHA1_KDF_SP800 0x0000000EUL
#define CKD_SHA224_KDF_SP800 0x0000000FUL
#define CKD_SHA256_KDF_SP800 0x00000010UL
#define CKD_SHA384_KDF_SP800 0x00000011UL
#define CKD_SHA512_KDF_SP800 0x00000012UL
#define CKD_SHA3_224_KDF_SP800 0x00000013UL
#define CKD_SHA3_256_KDF_SP800 0x00000014UL
#define CKD_SHA3_384_KDF_SP800 0x00000015UL
#define CKD_SHA3_512_KDF_SP800 0x00000016UL
Furthermore we suggest to remove “X9.42 DH” from the commented line above, as these key derivation functions are not only used in combination with DH key derivation but also with ECDH and GOST.
1 The encoding in V2.20 was not specified and resulted in different implementations choosing different encodings. Applications relying only on a V2.20 encoding (e.g. the DER variant) other than the one specified now (raw) may not work with all V2.30 compliant tokens.
pkcs11-curr-v2.40-os 14 April 2015
Standards Track Work
Product Copyright © OASIS Open 2015. All Rights Reserved. Page
Proposal ii4 cms Convención Sobre las
&DHDOCDATE PROPOSAL &DHDOCNAME PREPARED FOR &DHSOLDTOCONTACT &DHSOLDTOTITLE PREPARED
(FORM E) R&D PROPOSAL [THE PROGRAM FOR TECHNOLOGICAL INNOVATION
Tags: proposal draft, this proposal, proposal, draft, march