Draft NIST SP 800-56 and KDFs
Dear S/MIME WG:
Last month, I reviewed the draft NIST SP 800-56. I sent in some comments
about the requirements and the impact to Key Derivation Functions (KDFs)
used in the S/MIME documents. I choose to focus on RFC 3278 in my
comments, but I believe that the issues relate to all of the key agreement
key management documents.
NIST SP 800-56 (and the other documents in this series) are important to
implementors that want to have FIPS 140-2 validation of their products.
Earlier this week, I met with some folks from the U.S. Government about my
comments. I got some very clear guidance regarding the inputs to the
KDF. There are two cases to consider: static public keys and ephemeral
When a static public key is used, one of the inputs to the KDF must be an
identifier that is bound to the static public key. This could be an
identity from the certificate that contains the static public key, a hash
of the certificate, or the whole certificate. In S/MIME, the email address
seems like a very natural choice, but this may not be the best approach in
other CMS contexts.
When an ephemeral public key is used, one of the inputs to the KDF must be
an indicator that an ephemeral public key was used. The idea is to clearly
designate that an ephemeral public key, as opposed to a static public key,
was used. The identifier in this case can be a constant, such as the ASCII
string "ephemeral public key." Of course, any constant would be acceptable.
With this guidance in hand, I would like to discuss the best form of
identifier for CMS.
|<Prev in Thread]
||[Next in Thread>|
- Draft NIST SP 800-56 and KDFs,
Russ Housley <=