Re: KDF API review, round 2

Wed, 15 Nov 2017 21:49:52 -0800 

On 11/15/2017 11:43 AM, Jamil Nimeh wrote:

Hello all,
Thanks to everyone who has given input so far.  I've updated the KeyDerivation API with the comments I've received.  The new specification is here: 

Text: http://cr.openjdk.java.net/~jnimeh/reviews/kdfspec/kdfspec.02.txt
Javadoc: http://cr.openjdk.java.net/~jnimeh/reviews/kdfspec/javadoc.02/

In terms of high level changes:

  * Moved to a getInstance/init usage pattern similar to Mac,
    KeyAgreement, Cipher, etc.  This allows KDF objects to be reused
    with different parameters by reinitializing.
  * Name change: DerivedKeyParameterSpec --> DerivationParameterSpec
  * Keys returned by derivation methods are now java.security.Key
    rather than SecretKey
  * Provided additional derivation methods to support non-key based
    output: deriveData, deriveObject
  * Added a new constructor to DerivationParameterSpec to support the
    Object return type.

Thanks,
--Jamil
This is pretty close, but I think you need to add an AlgorithmParameters argument to each of the getInstance calls in KeyDerivation - or require each KDF to specify a default model - not all KDFs are fully specified in a given document.
Alternately, you could use the .setParameter/.getParameter model of signature,  but it may be that underlying code will actually be creating a whole new instance.  (E.g. getInstance("NIST-SP800-108") vs getInstance("NIST-SP800-108-Counter") vs getInstance("NIST-SP800-108/Counter")) 


Here's the model I'm thinking about:

   SP800-108 is a parameterized set of Key derivation functions which
   goes something like:

       Pick either Counter or Feedback

       Pick the PRF (e.g. HMAC-SHA256, AES-128-CMAC, etc)
       Pick the size of the counter and endianness:  (e.g. Big endian
       Uint16)

       Pick the size and endianness of L

       Pick whether the counter precedes or follows the fixed data (for
       counter mode).
       Pick whether the counter is included and whether it precedes or
       follows the fixed data (for feedback mode)


Taken together those instantiation parameters define a particular KDF model.
Then for the .init() call, the kdfParams is where the Label and Context data go (what HKDF calls 'info').  For most KDFs this could just be a byte array.
For HKDF the getInstance must specify an underlying hash function - by definition mode is feedback, the size of the counter is fixed, L is not included in the base calculation.  (TLS1.3 uses HKDF and makes L a mandatory part of the HKDF).
I want to do a worked example from instantiation to use to make sure this covers the corner cases.  Give me a day....  I'm currently in Singapore. 

Mike

Reply via email to