Matt, I'll ask privately. It is possible that they (a) don't have a good answer or (b) they're busy with other things. Jack
-----Original Message----- From: [EMAIL PROTECTED] on behalf of Matt Ball Sent: Fri 5/26/2006 4:48 PM To: SISWG Cc: Subject: FW: IEEE 1619.1 WG Requests Clarification on Key Derivation Functions for FIPS 140-2 Certification FYI: Here are the e-mail messages I sent to NIST concerning key derivation. So far, I have not received any responses. Is there anyone else in the IEEE 1619.1 work group who has contacts in NIST and could help drive this issue? Thanks, -Matt -----Original Message----- From: Matt Ball Sent: Monday, May 22, 2006 8:04 AM To: 'Elaine Barker' Subject: FW: IEEE 1619.1 WG Requests Clarification on Key Derivation Functions for FIPS 140-2 Certification Hi Elaine, I was wondering if you could help a little with the following question about key derivation. A little over two weeks ago, I sent this message to the distribution list indicated by the FIPS 140-2 IG document. Unfortunately, I haven't gotten any responses back yet. There is an IEEE meeting tomorrow, and I was hoping to have a little guidance to bring to the meeting. Do you know if I've sent this message to the right people, or is there a better person for a key-derivation question? Thanks! -Matt -----Original Message----- From: Matt Ball Sent: Wednesday, May 17, 2006 11:31 AM To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' Cc: 'Morris Dworkin' Subject: RE: IEEE 1619.1 WG Requests Clarification on Key Derivation Functions for FIPS 140-2 Certification Hello again, I just wanted to follow up to see if anyone has had time to look at this question. There will be an IEEE 1619 meeting this Tuesday (May 23rd), and I was hoping to have some kind of answer for that meeting. If that's too soon for a formal reply, I was wondering if I could at least get an informal reply so that we have some guidance about how to proceed with 'Key Derivation'. I've also released another draft, IEEE P1619.1-D6, which you can find at this web site: <http://grouper.ieee.org/groups/1619/email/msg00821.html>. This has basically the same key transform as the 'D5' version, except that we moved the original key to the end to reduce entropy loss due to the hashing function. I appreciate any help! Please let me know if you have any questions! Matt Ball Embedded Software Engineer Quantum Corporation 4001 Discovery Drive, Suite 1100 Boulder, CO 80303 (720) 406-5766 -----Original Message----- From: Matt Ball Sent: Friday, May 05, 2006 6:16 PM To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' Cc: 'Morris Dworkin' Subject: IEEE 1619.1 WG Requests Clarification on Key Derivation Functions for FIPS 140-2 Certification Hello, On behave of the IEEE 1619.1 Work Group, I would like to request some clarification on Key Derivation Functions (KDF) that are accepted by NIST for FIPS 140-2 certification. To this end, I have included a Request for Guidance (RFG) as outlined in section G.1 of FIPS 140-2 IG: 1. This RFG is NON-PROPRIETARY 2. Descriptive Title: "Is the IEEE P1619.1-D5 Key Derivation Function acceptable for NIST FIPS 140-2 certification?" 3. Applicable statement(s) from FIPS 140-2: Section 4.7.3 "Key Establishment" Annex A and D 4. Applicable assertion(s) from the FIPS 140-2 DTR, 5. Applicable required test procedure(s) from the FIPS 140-2 DTR, 6. Applicable statements from FIPS 140-2 Implementation Guidance, Section 7.1 "Acceptable Key Establishment Protocols" The following key derivation methods will be allowed in FIPS mode: • The key derivation functions specified in FIPS 140-2 IG 7.2. • Key derivation methods that do not compromise the resultant desired entropy of the derived key. The submitted test report must describe the method and provide rationale Section 7.2 "Use of IEEE 802.11i Key Derivation Protocols" Additional Notes and Conditions: NIST will be releasing a draft of Special Publication 800-56 for public comment. This document, when finalized, will provide Approved methods to derive keying material. 7. Applicable statements from algorithmic standards, 8. Background information if applicable, including any previous CMVP or CAVP official rulings or guidance, 9. A concise statement of the problem, followed by a clear and unambiguous question regarding the problem, The IEEE 1619.1 Work Group has been trying to deal with the problem of IV-collisions in cases when a customer uses the same encryption key to protect data on two different pieces of media. To solve this problem, we came up with two allowed approaches: 1) Use an IV with high enough entropy that the chance of collision is negligible. 2) Use a key derivation function (kdf) to transform the encryption key using vendor-unique information. This then allows the encryption device to use a systematic IV that is unique in among all media made by a particular vendor. Unfortunately, there is not very much guidance in FIPS 140-2 as to whether it is allowed to transform keys in this manner. The IEEE 1619.1-D5 draft (see <http://grouper.ieee.org/groups/1619/email/msg00750.html> for a copy of this draft) specifies using the derivation function from NIST SP 800-90, section 10.4.1 (Derivation Function Using a Hash Function). Is this derivation function acceptable for use in a NIST FIPS 140-2-certified solution in an approved mode of operation? If not, is there any derivation function that would be acceptable as a replacement in the context of IEEE 1619.1? (maybe the one from SP 800-56A?) 10. A suggested statement of the resolution that is being sought. We would like guidance on acceptable uses of key derivation functions, including accepted algorithms and best-practices. Thank you for your time, Matt Ball Embedded Software Engineer Quantum Corporation 4001 Discovery Drive, Suite 1100 Boulder, CO 80303 (720) 406-5766