[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [pkcs11] Groups - TLS 1.2 mechanisms uploaded
On Thu, Aug 8, 2013 at 6:40 PM, Michael StJohns <msj@nthpermutation.com> wrote: > > I'm adding a TLS PRF based mechanism that can only be used for key > derivation. The name is CMK_TLS12_KDF and accepts a label, set of random > values and an optional context per that RFC. > > I figured out that you don't have to provide an output structure to produce > multiple keys - instead do a second (third, fourth etc) derivation from the > produced key stream using one of the trivial kdf functions - > CKM_EXTRACT_KEY_FROM_KEY to break up the key stream. Correct. > I may ask the CCM/GCM author to propose a new mechanism that gets its IVs > from somewhere else. For TLS1.3, I'm thinking that inserting a key > derivation step between the key generation and IV generation step might work > - e.g. derive 4 keys plus an IV subkey. From the IV sub key derive the two > IVs. For TLS 1.3 we can also call the TLS PRF with a new label to generate the IVs. Alternatively, we can define a new AES-GCM mechanism that takes the implicit nonce as a generic secret key. NIST SP 800-38D Section 9.1 seems to recommend that the implicit nonce for AES GCM be kept inside a crypto module: 2. The IV shall be a critical security parameter as defined in FIPS Pub. 140-2 until the authenticated encryption function is invoked with the IV. Prior to this invocation, the IV shall be provided the same protection as other critical security parameters in a module that is validated to the requirements in FIPS Pub. 140-2. Wan-Teh
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]