WD04 review: IKE, HSS

All,

I’ve checked the IKE and HSS sections again, also covering my AI.

IKE (section 6.64):

Based on the discussion with Bob we need to change the non-existing error CKR_KEY_RANGE_ERROR to CKR_KEY_SIZE_ERROR.

The definition of CK_IKE_PRF_DERIVE_PARAMS is wrong since it’s missing “DERIVE” in line 14418. The same holds for the header file. In the header, CK_IKE_PRF_DERIVE_PARAMS_PTR is wrongly defined as CK_IKE_PRF_PARAMS_PTR (again DERIVE is missing). I’ve already contacted Bob about this.

In the last sentence of 6.64.6 there is CKA_VALUE_LEN written in red. Just remove the color.

Reviewing text of 6.64.5 (IKEv2 PRF PLUS DERIVE) I suggest just a small change since I was mainly confused if “additional keys”, “all the session keys” and “various subkeys” are actually the same (which they are). This is my suggestion (changes in red):

“The IKEv2 PRF PLUS Derive mechanism denoted CKM_IKE2_PRF_PLUS_DERIVE is used in IPSEC IKEv2 to derive various additional keys from the initial SKEYSEED. It takes a CK_IKE2_PRF_PLUS_DERIVE_PARAMS as a mechanism parameter. SKEYSEED is the base key passed into C_DeriveKey. The key type of baseKey must be the key type of the underlying prf. This mechanism uses the base key and a feedback version of the prf to generate a single key with sufficient bytes to cover all ~~the session~~ additional keys. The application will then use CKM_EXTRACT_KEY_FROM_KEY several times to pull out the various ~~sub~~keys.”

An important restriction of RFC 5996 is IMO missing in the mechanism description: “The prf+ function is not defined beyond 255 times the size of the prf function output.” (section 2.13 in the RFC) Therefore, I suggest to change the next sentence as well to (already including the change of the error code):

“CKA_VALUE_LEN must be set in the template and its value must not be bigger than 255 times the size of the prf function output or CKR_KEY_SIZE_ERROR will be returned.”

HSS (section 6.65):

Easier part: headings of some subsections are not formatted correctly (not bold).

CKR_OPERATION_TIMEOUT: Is used in section 6.65.4 "HSS key pair generation", but missing in the header files. Moreover, it needs to be defined in section 5.1.6 and added to the list of possible return values in section 5.18.2 "C_GenerateKeyPair". However, the semantics is not completely clear to me.

In 6.65.4 it is described as follows: "If the operation takes longer to complete than a timeout determined by the device, CKR_OPERATION_TIMEOUT will be returned. If this code is returned, the requestor may try the operation again." What's the interpretation of the 2nd sentence? Is the error an information "I'm not done yet, please call me again"? Calculation continues on next call or in the background (might depend on token)? Or does it actually abort? In that case it might never finish on some tokens...

I tried to reach out to Michelle but did not get an answer. Does anybody remember if we discussed about this?

Regards,

Daniel

pkcs11 message