Matt,
I'll ask privately. It is possible that they (a) don't have a good answer or
(b) they're busy with other things.
Jack
-----Original Message-----
From: [EMAIL PROTECTED] on behalf of Matt Ball
Sent: Fri 5/26/2006 4:48 PM
To: SISWG
Cc:
Subject: FW: IEEE 1619.1 WG Requests Clarification on Key Derivation
Functions for FIPS 140-2 Certification
FYI:
Here are the e-mail messages I sent to NIST concerning key derivation.
So far, I have not received any responses. Is there anyone else in the IEEE
1619.1 work group who has contacts in NIST and could help drive this issue?
Thanks,
-Matt
-----Original Message-----
From: Matt Ball
Sent: Monday, May 22, 2006 8:04 AM
To: 'Elaine Barker'
Subject: FW: IEEE 1619.1 WG Requests Clarification on Key
Derivation Functions for FIPS 140-2 Certification
Hi Elaine,
I was wondering if you could help a little with the following question
about key derivation. A little over two weeks ago, I sent this message to the
distribution list indicated by the FIPS 140-2 IG document. Unfortunately, I
haven't gotten any responses back yet. There is an IEEE meeting tomorrow, and
I was hoping to have a little guidance to bring to the meeting. Do you know if
I've sent this message to the right people, or is there a better person for a
key-derivation question?
Thanks!
-Matt
-----Original Message-----
From: Matt Ball
Sent: Wednesday, May 17, 2006 11:31 AM
To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
Cc: 'Morris Dworkin'
Subject: RE: IEEE 1619.1 WG Requests Clarification on Key
Derivation Functions for FIPS 140-2 Certification
Hello again,
I just wanted to follow up to see if anyone has had time to look at
this question. There will be an IEEE 1619 meeting this Tuesday (May 23rd), and
I was hoping to have some kind of answer for that meeting. If that's too soon
for a formal reply, I was wondering if I could at least get an informal reply
so that we have some guidance about how to proceed with 'Key Derivation'.
I've also released another draft, IEEE P1619.1-D6, which you can find
at this web site: <http://grouper.ieee.org/groups/1619/email/msg00821.html>.
This has basically the same key transform as the 'D5' version, except that we
moved the original key to the end to reduce entropy loss due to the hashing
function.
I appreciate any help! Please let me know if you have any questions!
Matt Ball
Embedded Software Engineer
Quantum Corporation
4001 Discovery Drive, Suite 1100
Boulder, CO 80303
(720) 406-5766
-----Original Message-----
From: Matt Ball
Sent: Friday, May 05, 2006 6:16 PM
To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'; '[EMAIL
PROTECTED]'
Cc: 'Morris Dworkin'
Subject: IEEE 1619.1 WG Requests Clarification on Key
Derivation Functions for FIPS 140-2 Certification
Hello,
On behave of the IEEE 1619.1 Work Group, I would like to
request some clarification on Key Derivation Functions (KDF) that are accepted
by NIST for FIPS 140-2 certification. To this end, I have included a Request
for Guidance (RFG) as outlined in section G.1 of FIPS 140-2 IG:
1. This RFG is NON-PROPRIETARY
2. Descriptive Title:
"Is the IEEE P1619.1-D5 Key Derivation Function
acceptable for NIST FIPS 140-2 certification?"
3. Applicable statement(s) from FIPS 140-2:
Section 4.7.3 "Key Establishment"
Annex A and D
4. Applicable assertion(s) from the FIPS 140-2 DTR,
5. Applicable required test procedure(s) from the FIPS 140-2
DTR,
6. Applicable statements from FIPS 140-2 Implementation
Guidance,
Section 7.1 "Acceptable Key Establishment Protocols"
The following key derivation methods will be
allowed in FIPS mode:
• The key derivation functions specified in
FIPS 140-2 IG 7.2.
• Key derivation methods that do not compromise
the resultant desired entropy of the derived key. The submitted test report
must describe the method and provide rationale
Section 7.2 "Use of IEEE 802.11i Key Derivation
Protocols"
Additional Notes and Conditions:
NIST will be releasing a draft of Special
Publication 800-56 for public comment. This document, when finalized, will
provide Approved methods to derive keying material.
7. Applicable statements from algorithmic standards,
8. Background information if applicable, including any previous
CMVP or CAVP official rulings or guidance,
9. A concise statement of the problem, followed by a clear and
unambiguous question regarding the problem,
The IEEE 1619.1 Work Group has been trying to deal with
the problem of IV-collisions in cases when a customer uses the same encryption
key to protect data on two different pieces of media. To solve this problem,
we came up with two allowed approaches:
1) Use an IV with high enough entropy that the
chance of collision is negligible.
2) Use a key derivation function (kdf) to
transform the encryption key using vendor-unique information. This then allows
the encryption device to use a systematic IV that is unique in among all media
made by a particular vendor.
Unfortunately, there is not very much guidance in FIPS
140-2 as to whether it is allowed to transform keys in this manner. The IEEE
1619.1-D5 draft (see <http://grouper.ieee.org/groups/1619/email/msg00750.html>
for a copy of this draft) specifies using the derivation function from NIST SP
800-90, section 10.4.1 (Derivation Function Using a Hash Function).
Is this derivation function acceptable for use in a
NIST FIPS 140-2-certified solution in an approved mode of operation?
If not, is there any derivation function that would be
acceptable as a replacement in the context of IEEE 1619.1? (maybe the one from
SP 800-56A?)
10. A suggested statement of the resolution that is being
sought.
We would like guidance on acceptable uses of key
derivation functions, including accepted algorithms and best-practices.
Thank you for your time,
Matt Ball
Embedded Software Engineer
Quantum Corporation
4001 Discovery Drive, Suite 1100
Boulder, CO 80303
(720) 406-5766
