Closed ssrish17 closed 11 months ago
Am Mittwoch, 30. August 2023, 16:16:04 CEST schrieb ssrish17:
Hi ssrish17,
Hi Stephan,
While coding libkcapi backend for kdf (kdf_sp800108) in ACVP (https://github.com/smuellerDD/acvpparser) I noticed that kdf test vectors with hash crypto primitives as SHA1, SHA2-384, SHA2-512, and all the four SHA3 combinations also seem to be working fine in addition to the already known SHA2-224 and SHA2-256
But when I look at the kernel code, CRYPTO_KDF800108_CTR is selecting only CRYPTO_SHA256 (https://github.com/torvalds/linux/blob/master/crypto/Kconfig#L1319) and not any other hash crypto primitives. Could you please provide more clarity on this?
The kernel is no general purpose crypto library. All algorithms are used inside the kernel for different purposes. The KDF is only used in conjunction with the keyring facility's DH operation. There, only SHA2-256 is used.
Thanks, Srish
Ciao Stephan
Hi Stephan, thanks a lot for your prompt response!
Hello Stephan, Just some observations.
Using the keyctl commandline utility, I could invoke dh_compute_kdf_oi to derive a key from a Diffie-Hellman generated shared secret. And here for the key derivation, I could make use of the other SHA2 hashes as well (SHA2-384 and SHA2-512), apart from SHA2-256 and SHA2-224.
And for this experiment, I had taken test vectors from here: http://csrc.nist.gov/groups/STM/cavp/documents/keymgmt/KASTestVectorsFFC2014.zip Even the existing SHA-224 and SHA-256 test vectors that are a part of the keyutils source are from the same zip archive.(https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git/tree/tests/keyctl/dh_compute/valid/runtest.sh#n87)
So is it reasonable enough to conclude that even the other SHA2 variants (not only SHA2-256) could be used for key derivation in the keyring facility's DH operation?
Am Freitag, 1. September 2023, 16:55:24 CEST schrieb ssrish17:
Hi ssrish17,
Hello Stefan, Just some observations.
Using the keyctl commandline utility, I could invoke dh_compute_kdf_oi to derive a key from a Diffie-Hellman generated shared secret. And here for the key derivation, I could make use of the other SHA2 hashes as well (SHA2-384 and SHA2-512), apart from SHA2-256 and SHA2-224.
And for this experiment, I had taken test vectors from here: http://csrc.nist.gov/groups/STM/cavp/documents/keymgmt/KASTestVectorsFFC201 4.zip Even the existing SHA-224 and SHA-256 test vectors that are a part of the keyutils source are from the same zip archive.(https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils. git/tree/tests/keyctl/dh_compute/valid/runtest.sh#n87)
So is it reasonable enough to conclude that even the other SHA2 variants (not only SHA2-256) could be used for key derivation in the keyring facility's DH operation?
You are right, but the question is now can that be specified in the Kconfig as you may need CONFIG_CRYPTO_SHA256 or CONFIG_CRYPTO_SHA512.
Ciao Stephan
Hello Stephan,
So at runtime when we use keyctl for key derivation, one could use either one of these 4 crypto hash primitives: sha224, sha256, sha384, sha512
sha224 and sha256 are covered by CRYPTO_SHA256 sha384 and sha512 are covered by CRYPTO_SHA512
But since we are not sure beforehand as to which one of the four it is exactly going to be, we would need to have all the 4 of them compiled and available
Therefore, would the following be a feasible solution?
config CRYPTO_KDF800108_CTR
tristate
select CRYPTO_HMAC
select CRYPTO_SHA256
select CRYPTO_SHA512
Am Montag, 4. September 2023, 12:41:37 CEST schrieb ssrish17:
Hi ssrish17,
config CRYPTO_KDF800108_CTR tristate select CRYPTO_HMAC select CRYPTO_SHA256 select CRYPTO_SHA512
Well, I am not sure that would help considering that all these options are required now. Yet, you need one hash, not all of them.
Ciao Stephan
If you have a solution, may I ask to send a patch to the Linux-crypto mailing list for inclusion into the kernel?
Closing the issue here.
Hi Stephan,
While coding libkcapi backend for kdf (kdf_sp800108) in ACVP (https://github.com/smuellerDD/acvpparser) I noticed that kdf test vectors with hash crypto primitives as SHA1, SHA2-384, SHA2-512, and all the four SHA3 combinations also seem to be working fine in addition to the already known SHA2-224 and SHA2-256
But when I look at the kernel code, CRYPTO_KDF800108_CTR is selecting only CRYPTO_SHA256 (https://github.com/torvalds/linux/blob/master/crypto/Kconfig#L1319) and not any other hash crypto primitives. Could you please provide more clarity on this?
Thanks, Srish