search

smuellerDD / libkcapi

Linux Kernel Crypto API User Space Interface Library
http://www.chronox.de/libkcapi
Other
166 stars 70 forks source link

Why SHA2-256 is the only hash crypto primitive for KDF in linux kernel crypto? #171

Closed ssrish17 closed 11 months ago

ssrish17 commented 1 year ago

Hi Stephan,

While coding libkcapi backend for kdf (kdf_sp800108) in ACVP (https://github.com/smuellerDD/acvpparser) I noticed that kdf test vectors with hash crypto primitives as SHA1, SHA2-384, SHA2-512, and all the four SHA3 combinations also seem to be working fine in addition to the already known SHA2-224 and SHA2-256

But when I look at the kernel code, CRYPTO_KDF800108_CTR is selecting only CRYPTO_SHA256 (https://github.com/torvalds/linux/blob/master/crypto/Kconfig#L1319) and not any other hash crypto primitives. Could you please provide more clarity on this?

Thanks, Srish

smuellerDD commented 1 year ago

Am Mittwoch, 30. August 2023, 16:16:04 CEST schrieb ssrish17:

Hi ssrish17,

Hi Stephan,

While coding libkcapi backend for kdf (kdf_sp800108) in ACVP (https://github.com/smuellerDD/acvpparser) I noticed that kdf test vectors with hash crypto primitives as SHA1, SHA2-384, SHA2-512, and all the four SHA3 combinations also seem to be working fine in addition to the already known SHA2-224 and SHA2-256

But when I look at the kernel code, CRYPTO_KDF800108_CTR is selecting only CRYPTO_SHA256 (https://github.com/torvalds/linux/blob/master/crypto/Kconfig#L1319) and not any other hash crypto primitives. Could you please provide more clarity on this?

The kernel is no general purpose crypto library. All algorithms are used inside the kernel for different purposes. The KDF is only used in conjunction with the keyring facility's DH operation. There, only SHA2-256 is used.

Thanks, Srish

Ciao Stephan

ssrish17 commented 1 year ago

Hi Stephan, thanks a lot for your prompt response!

ssrish17 commented 1 year ago

Hello Stephan, Just some observations.

Using the keyctl commandline utility, I could invoke dh_compute_kdf_oi to derive a key from a Diffie-Hellman generated shared secret. And here for the key derivation, I could make use of the other SHA2 hashes as well (SHA2-384 and SHA2-512), apart from SHA2-256 and SHA2-224.

And for this experiment, I had taken test vectors from here: http://csrc.nist.gov/groups/STM/cavp/documents/keymgmt/KASTestVectorsFFC2014.zip Even the existing SHA-224 and SHA-256 test vectors that are a part of the keyutils source are from the same zip archive.(https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git/tree/tests/keyctl/dh_compute/valid/runtest.sh#n87)

So is it reasonable enough to conclude that even the other SHA2 variants (not only SHA2-256) could be used for key derivation in the keyring facility's DH operation?

smuellerDD commented 1 year ago

Am Freitag, 1. September 2023, 16:55:24 CEST schrieb ssrish17:

Hi ssrish17,

Hello Stefan, Just some observations.

Using the keyctl commandline utility, I could invoke dh_compute_kdf_oi to derive a key from a Diffie-Hellman generated shared secret. And here for the key derivation, I could make use of the other SHA2 hashes as well (SHA2-384 and SHA2-512), apart from SHA2-256 and SHA2-224.

And for this experiment, I had taken test vectors from here: http://csrc.nist.gov/groups/STM/cavp/documents/keymgmt/KASTestVectorsFFC201 4.zip Even the existing SHA-224 and SHA-256 test vectors that are a part of the keyutils source are from the same zip archive.(https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils. git/tree/tests/keyctl/dh_compute/valid/runtest.sh#n87)

So is it reasonable enough to conclude that even the other SHA2 variants (not only SHA2-256) could be used for key derivation in the keyring facility's DH operation?

You are right, but the question is now can that be specified in the Kconfig as you may need CONFIG_CRYPTO_SHA256 or CONFIG_CRYPTO_SHA512.

Ciao Stephan

ssrish17 commented 1 year ago

Hello Stephan,

So at runtime when we use keyctl for key derivation, one could use either one of these 4 crypto hash primitives: sha224, sha256, sha384, sha512

sha224 and sha256 are covered by CRYPTO_SHA256 sha384 and sha512 are covered by CRYPTO_SHA512

But since we are not sure beforehand as to which one of the four it is exactly going to be, we would need to have all the 4 of them compiled and available

Therefore, would the following be a feasible solution?

config CRYPTO_KDF800108_CTR
    tristate
    select CRYPTO_HMAC
    select CRYPTO_SHA256
        select CRYPTO_SHA512
smuellerDD commented 1 year ago

Am Montag, 4. September 2023, 12:41:37 CEST schrieb ssrish17:

Hi ssrish17,

config CRYPTO_KDF800108_CTR
  tristate
  select CRYPTO_HMAC
  select CRYPTO_SHA256
        select CRYPTO_SHA512

Well, I am not sure that would help considering that all these options are required now. Yet, you need one hash, not all of them.

Ciao Stephan

smuellerDD commented 11 months ago

If you have a solution, may I ask to send a patch to the Linux-crypto mailing list for inclusion into the kernel?

Closing the issue here.