[BUG] Difference in key generated by KDF for encryption and decryption

[Sai-Anudeep47]

To simplify issue resolution process, please provide network logs, and or test voucher.

What part of the spec are you testing?

• [ ] Rendezvous Server
• [ ] Device Onboarding Service
• [x] Device Implementation

What protocol are having issue with?

• [ ] TO0
• [ ] TO1
• [x] TO2

Issue description

• KDF in counter mode implemented at https://github.com/fido-alliance/fdo-fido-conformance-server/blob/main/core/shared/enc.crypto.go#L199 has the loop from "0 to n-1" but it should be from "1 to n" according to https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-108.pdf and section 5.1
• The above publication is mentioned in spec https://fidoalliance.org/specs/FDO/FIDO-Device-Onboard-PS-v1.1-20220419/FIDO-Device-Onboard-PS-v1.1-20220419.html#kdf and screenshot from publication is attached for reference.

[rftemple]

The L2 value is also currently written as Little Endian and the bytes need to be reversed for Big Endian. This is in addition to the loop start with 1 vs 0.

func Sp800108CounterKDF(sizeBytes int, hmacAlg HashType, key []byte, contextRand []byte) ([]byte, error) { //this should be 1 vs 0 per spec for i := 1; i < n; i += 1 { mac.Write([]byte{byte(i)}) mac.Write([]byte(CONST_KDF_LABEL)) mac.Write([]byte{byte(0x00)}) // Separator mac.Write([]byte(CONST_KDF_CONTEXT)) mac.Write(contextRand)

    Lbigend := []byte{byte((l & 0xff)), byte((l >> 8) & 0xff)}

// this should be reversed for big endian Lbigend := []byte{ byte((l >> 8) & 0xff),byte((l & 0xff))} mac.Write(Lbigend)

    result = append(result, mac.Sum(nil)...)
    mac.Reset()
}

return result[0:sizeBytes], nil

}

256 in Big endian to array is [1,0] 256 in Little endian to array is [0,1] (current output)

[yackermann]

yes, you are correct @rftemple @Sai-Anudeep47!