Hi Rich, Sean and all,
1) Traditionally, a HKDF-Extract is used to extract entropy from a DH type
shared secret. However, the first HKDF-Extract in the key schedule takes a PSK
instead of a DH shared secret.
We don't see security problems with this instance in TLS 1.3. NIST requires the
PSK to
Rich,
Check out SP 800-52r2. Section 3.1 includes the following:
servers … should be configured to negotiate TLS 1.3.
and
Agencies shall support TLS 1.3 by January 1, 2024.
“should” and “shall” are defined in RFC 2119. One could make the case that you
are already there ;} If not, then I’m goi
On Sat, May 9, 2020 at 9:08 AM Salz, Rich
wrote:
>
> Sorry for the confusion I caused.
>
> HKDF is part of SP 800-56C. NIST says that what TLS 1.3 does isn't quite
the same, and therefore will not be covered by 56C. NIST wants to get TLS
1.3 validated for FIPS, and is currently trying to figure o
Sorry for the confusion I caused.
HKDF is part of SP 800-56C. NIST says that what TLS 1.3 does isn't quite the
same, and therefore will not be covered by 56C. NIST wants to get TLS 1.3
validated for FIPS, and is currently trying to figure out how to do so. The
comment period for 56C closes Fr
On Fri, May 8, 2020, at 17:08, Salz, Rich wrote:
> It cites it, but doesn't include it in the 800-56 doc.
Maybe I'm confused too, but it sounds like it's included to me. The
definition of the KDF includes:
> The first (randomness-extraction) step uses either HMAC … If
> HMAC-hash is used i
> -Original Message-
> From: Salz, Rich
>
> >[DB] But NIST Draft SP 800-56Cr2 cites RFC 5869, which is HKDF, and
> > says
> HKDF
> is a version of 56C Section 5.1. So, I had thought that 56C would allow
> HKDF.
> What am I missing?
>
> It cites it, but doesn't include it in
>[DB] But NIST Draft SP 800-56Cr2 cites RFC 5869, which is HKDF, and says
> HKDF
is a version of 56C Section 5.1. So, I had thought that 56C would allow
HKDF.
What am I missing?
It cites it, but doesn't include it in the 800-56 doc.
___
> -Original Message-
> From: Cfrg On Behalf Of Salz, Rich
> Subject: [Cfrg] NIST crypto group and HKDF (and therefore TLS 1.3)
>
> NIST SP 800-56C (Recommendation for Key-Derivation Methods in Key-
> Establishment Schemes) is currently a draft in review with a deadline of
> May 15.
If you don’t care about FIPS-140, just delete this message, and avoid the
temptation to argue how bad it is.
NIST SP 800-56C (Recommendation for Key-Derivation Methods in Key-Establishment
Schemes) is currently a draft in review. The document is at
https://csrc.nist.gov/publications/detail/sp/8
