[Nfd-dev] About NDNCERT's KDF

Junxiao Shi shijunxiao at email.arizona.edu
Wed Apr 10 15:07:16 PDT 2019 

Hi Zhiyi

No, SP 800-56C does not show "a raw SHA256" is fine for a KDF.
SHA256 can be used as part of the KDF, but it's not as simple as
KDF(Z)=SHA256(Z) - there should be other inputs to the hash function as
well.
SP 800-56C section 4.1 and 5.1 has details on how to construct a KDF out of
a hash function such as SHA256.

Quote from crypto expert:

One thing that can go wrong is that if the same Z is used twice to derive
128-bit and 256-bit keys, the two keys will share the same first 128 bits.
This is very bad for a KDF.
If the designers are trying to keep it simple, the one-step key derivation
is probably what they want.


Yours, Junxiao

On Fri, Apr 5, 2019 at 9:04 PM Zhiyi Zhang <zhiyi at cs.ucla.edu> wrote:

> Hi all,
>
> As a follow-up, we found another proof showing the use of SHA2 is fine for
> a KDF.
> This is from NIST's Recommendation for Key-Derivation Methods in
> Key-Establishment Schemes published in April 2018. (
> https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr1.pdf
> )
> It presents that an approved hash function (e.g., SHA256) can be used as a
> valid KDF.
>
> Best,
> Zhiyi
>
>
> On Wed, Apr 3, 2019 at 3:03 PM Zhiyi Zhang <zhiyi at cs.ucla.edu> wrote:
>
>> Hi all,
>>
>> I just checked the OpenSSL 1.0.2, I don't think pkcs5_pbkdf2_hmac_sha1
>> (Jeff T mentioned during Apr 3's NFD call) is exposed in 1.0.2.
>> Instead, I found this KDF in 1.0.2: EVP_BytesToKey (
>> https://www.openssl.org/docs/man1.0.2/man3/EVP_BytesToKey.html)
>> However, this website (
>> https://www.cryptopp.com/wiki/OPENSSL_EVP_BytesToKey) says
>> "
>> Early versions of EVP_BytesToKey used MD5, and later versions use SHA.
>> MD5 is used in OpenSSL 1.0.2 and earlier. OpenSSL 1.1.0c and later use
>> SHA-256 as the hash. Unless you have a specific need, you should not
>> use OPENSSL_EVP_BytesToKey. Rather, you should use a password derivation
>> function like HKDF or PBKDF2.
>> "
>> As we all know, MD5 has been deprecated as a crypto hash func, so my
>> personal opinion is not to use this EVP_BytesToKey as NDNCERT's KDF.
>>
>> As pointed out here (
>> https://crypto.stackexchange.com/questions/50135/is-sha-2-suitable-for-key-derivation),
>> I think using a raw SHA256 should be fine for our NDNCERT's KDF purpose,
>> give the AES key will only be used in one cert request "session".
>>
>> This will also avoid the OpenSSL version issue temporarily. When our NDN
>> Testbed adopts a newer version of OpenSSL. We can bring the HKDF back.
>>
>> Best,
>> Zhiyi
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20190410/80f0df6a/attachment.html>

More information about the Nfd-dev mailing list