[Nfd-dev] About NDNCERT's KDF
Zhiyi Zhang
zhiyi at cs.ucla.edu
Fri Apr 5 18:04:05 PDT 2019
Hi all,
As a follow-up, we found another proof showing the use of SHA2 is fine for
a KDF.
This is from NIST's Recommendation for Key-Derivation Methods in
Key-Establishment Schemes published in April 2018. (
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr1.pdf)
It presents that an approved hash function (e.g., SHA256) can be used as a
valid KDF.
Best,
Zhiyi
On Wed, Apr 3, 2019 at 3:03 PM Zhiyi Zhang <zhiyi at cs.ucla.edu> wrote:
> Hi all,
>
> I just checked the OpenSSL 1.0.2, I don't think pkcs5_pbkdf2_hmac_sha1
> (Jeff T mentioned during Apr 3's NFD call) is exposed in 1.0.2.
> Instead, I found this KDF in 1.0.2: EVP_BytesToKey (
> https://www.openssl.org/docs/man1.0.2/man3/EVP_BytesToKey.html)
> However, this website (
> https://www.cryptopp.com/wiki/OPENSSL_EVP_BytesToKey) says
> "
> Early versions of EVP_BytesToKey used MD5, and later versions use SHA. MD5
> is used in OpenSSL 1.0.2 and earlier. OpenSSL 1.1.0c and later use SHA-256
> as the hash. Unless you have a specific need, you should not
> use OPENSSL_EVP_BytesToKey. Rather, you should use a password derivation
> function like HKDF or PBKDF2.
> "
> As we all know, MD5 has been deprecated as a crypto hash func, so my
> personal opinion is not to use this EVP_BytesToKey as NDNCERT's KDF.
>
> As pointed out here (
> https://crypto.stackexchange.com/questions/50135/is-sha-2-suitable-for-key-derivation),
> I think using a raw SHA256 should be fine for our NDNCERT's KDF purpose,
> give the AES key will only be used in one cert request "session".
>
> This will also avoid the OpenSSL version issue temporarily. When our NDN
> Testbed adopts a newer version of OpenSSL. We can bring the HKDF back.
>
> Best,
> Zhiyi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20190405/8f7ed552/attachment.html>
More information about the Nfd-dev
mailing list