NIST SP 800-56: Key-Establishment
doc
SP 800-56C Rev. 2 Recommendation for Key-Derivation Methods in Key-Establishment Schemes
trusted third party(TTP)
mac: hmac, aes-cmac, kmac
random bit generator (RBG): SP 800-90
mqv 漏洞太多
IEEE P1363
800-56c
Z: shared secret
OtherInput: salt, L, {IV}, FixedInfo
FixedInfo: Label, Context
DerivedKeyingMaterial = KDM(Z, OtherInput)
one-step kdf: shared secret -> Key-Derivation key
- hash(x), fips 180, fips 202
- hmac(key=salt, message=x), fips 198
- kmac(key=salt, message=x, H_outputBits, “KDF”), SP 800-185
| 可以基于 H(counter | Z | fixedInfo),counter递增,迭代拼接 |
two-step kdf: extraction-then-expansion, shared secret -> Key-Derivation key -> keying material
randomness extraction => KDK
- hmac(key=salt, message = Z)
- aes-cmac(key=salt, message=Z), sp 800-38B
key expansion => DerivedKeyingMaterial
- KDF(KDK, L, {IV}, FixedInfo)
如果PRF-based KDF是feedback mode,则需要IV。
如果PRF-based KDF是Counter mode / Double-Pipeline Iteration Mode,则不需要IV。
