gilles-peskine-arm
commented
12 months ago The key derivation can support DRBG, but it's not a great fit.
The lifecycle of a key derivation is:
- Setup —
psa_key_derivation_setup - Repeat as necessary: pass input (some inputs can be mandatory) —
psa_key_derivation_input_bytes - Repeat as necessary: extract output —
psa_key_derivation_output_bytes - Abort —
psa_key_derivation_abort
The lifecycle of a DRBG is similar enough that it's possible to reuse the same functions, however there are major differences:
- You can reseed at any time, not just initially —
psa_key_derivation_input_bytescan be called again afterpsa_key_derivation_output_bytes. - Reseeding multiple times is not passing a seed incrementally (which is a desirable thing in some scenarios involving KDF, but would be strange with a DRBG) —
psa_key_derivation_input_bytes(INPUT_SEED, seed1); psa_key_derivation_input_bytes(INPUT_SEED, seed2)is not equivalent to `psa_key_derivation_input_bytes(INPUT_SEED, concatenate(seed1, seed2)) - it matters how you slice the output —
psa_key_derivation_output_bytes(out1, len1); psa_key_derivation_output_bytes(out1 + len1, len2);is not equivalent topsa_key_derivation_output_bytes(out1, len1 + len2);
So it may be better to use a different family of functions.
ndevillard
Add support for DRBG. This is needed for compatibility with Automotive security systems such as described by AUTOSAR/SHE or SAE J3101, which recommend following NIST recommendations described in SP 800-90A (Recommendation for RNG using DRBG). A simple API may include Instantiate, Reseed, Generate, maybe also Test, Uninstantiate.