It looks like NIST has recently published a FIPS Approved key-derivation function (as of March). For the next P1619.1 draft, I would like to change the key derivation function (KDF) to match NIST's derivation function. Does anyone need me to keep the previous key derivation function, or can I remove it?
The NIST document in question is NIST SP 800-56A "Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography". SP 800-56A specifies a KDF in section 5.8, "Key Derivation Functions for Key Agreement Schemes". This KDF looks pretty much like the one in P1619.1-D5, except there are a couple additional fields. I'd like to keep the underlying hash function as SHA-256, so that the device only has to perform one hash operation.
The whole question of key derivation has been very tricky and somewhat cloudy in past months, especially in relation to FIPS-certification. The most definitive clarification I have found was release by NIST last September in the FIPS 140-2 Implementation Guidance (see http://csrc.nist.gov/cryptval/140-1/FIPS1402IG.pdf) [IG]. Sections 7.1 and 7.2 of FIPS 140-2 IG provide guidance for key derivation functions. In particular, the Implementation Guidance state that the KDF from IEEE 802.11i is an Approved method, and provides the following text concerning SP 800-56:
Additional Notes and Conditions
NIST will be releasing a draft of Special Publication 800-56 for public comment. This document, when finalized, will provide Approved methods to derive keying material.
Since NIST published the final version of SP 800-56 last March, this should provide an allowed KDF.
Any questions or comments?
-Matt
