Hi Torsten, The HKDF is one of the approved KDFs for being used together with an approved key exchange as specified in 56C.
At this moment, a standalone HKDF is not approved yet. Draft version 2 of SP 800-133 (Section 6.3, item# 3: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2-draft.pdf )specifies an option for a HKDF's extraction step when the IKM is a shared secret generated from a NIST's approved random bit generator in SP 800-90 series (like external pre-shared key in TLS 1.3) or when the IKM is a pseudorandom key derived from a previous approved key exchange (like a resumption in TLS 1.3). Recommendation for Cryptographic Key Generation<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2-draft.pdf> Draft NIST Special Publication 800-133 . Revision 2. Recommendation for Cryptographic Key Generation. Elaine Barker . Allen Roginsky . Richard Davis . This publication is available free of charge from: nvlpubs.nist.gov When/if that extraction step option is officially approved, meaning the current NIST's approved HKDFs in key exchanges in SP 800-56C would become NIST-approved standalone HKDFs, we'll publish their test vectors. Regards, Quynh. ________________________________ From: "Torsten Schütze" <torsten.schue...@gmx.net> Sent: Tuesday, May 12, 2020 8:36 AM To: Dang, Quynh H. (Fed) <quynh.d...@nist.gov> Cc: Hugo Krawczyk <h...@ee.technion.ac.il>; c...@ietf.org <c...@ietf.org>; tls@ietf.org <tls@ietf.org>; rs...@akamai.com <rs...@akamai.com> Subject: Aw: Re: [Cfrg] NIST crypto group and HKDF (and therefore TLS 1.3) Hi Quynh, thank you for your quick response. I knew that omitting some fields was allowed, but not that permutations are allowed, too. Okay, this makes HKDF RFC 5869 definitely to a NIST SP800-56C rev 2 compliant KDF. But what to do about the CAVP tests or approved test vectors. Couldn't NIST provide for the very often used RFC 5869 HKDF approved test vectors? I coulnd't find any. Only for some older, application specific KDFs. Of course, I can generate them by myself with an independent implementation, but I'm talking about evaluation/approval business here. Regards Torsten
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls