It may be prudent to use a FIPS 140-1/2 certifiable PRF, such as defined in
FIPS 186-2 using SHA-1 in the core. I'm not sure if p1363a's KDF2 is the same as
FIPS 186-2 G function-based PRF.
- Tolga
>>> ekr(_at_)speedy(_dot_)rtfm(_dot_)com 2/20/01 16:11:53
>>>
William Whyte <WWhyte(_at_)baltimore(_dot_)com> writes:
> >
>William suggests byte reversal instead, which seems ok from both
>
perspectives.
> >
> > Okay. So, since bitwise-NOT and
bit-reversal both have shortcomings, what
>
> > are you going to
use as the mandatory to implement transform?
>
> As Stephen says,
I've suggested byte reversal. In fact, what I
> would most like to see as
the mandatory to implement transform
> is X9.63 key derivation (the key
derivation function referred
> to as KDF2 in IEEE P1363a), but to the best
of my knowledge there's
> no stable, freely-available description of this
that we could
> reference. If anyone fancied writing it up as an RFC
that'd
> be very nice...
How about using the PRF from TLS? It's
HMAC-based, widely viewed
as strong, and easily
referenceable.
-Ekr