It may be prudent to use a FIPS 140-1/2 certifiable PRF, such as defined in
FIPS 186-2 using SHA-1 in the core. I'm not sure if p1363a's KDF2 is the same
as FIPS 186-2 G function-based PRF.
ekr(_at_)speedy(_dot_)rtfm(_dot_)com 2/20/01 16:11:53 >>>
William Whyte <WWhyte(_at_)baltimore(_dot_)com> writes:
William suggests byte reversal instead, which seems ok from both
Okay. So, since bitwise-NOT and bit-reversal both have shortcomings, what
are you going to use as the mandatory to implement transform?
As Stephen says, I've suggested byte reversal. In fact, what I
would most like to see as the mandatory to implement transform
is X9.63 key derivation (the key derivation function referred
to as KDF2 in IEEE P1363a), but to the best of my knowledge there's
no stable, freely-available description of this that we could
reference. If anyone fancied writing it up as an RFC that'd
be very nice...
How about using the PRF from TLS? It's HMAC-based, widely viewed
as strong, and easily referenceable.
Description: Text document