search

usnistgov / ACVP-Server

A repository tracking releases of NIST's ACVP server. See www.github.com/usnistgov/ACVP for the protocol.
59 stars 20 forks source link

SP800-56Cr1 KAS KDF doesn't allow valid values for "L" #123

Closed EdSmith-Viasat closed 3 years ago

EdSmith-Viasat commented 3 years ago

UL gets the following error when they try to generate test vectors for the SP800-56Cr1 One-Step KDF: “KAS-KDF-OneStep-Sp800-56Cr1: Provided 'l' value of 256 does not meet the minimum l value of 512 for the function SHA2_D512.". The algorithm in Section 4.1 of SP800-56Cr1 (and SP800-56Cr2) is:

  1. If L > 0, then set reps = CEILING(L / H_outputBits); otherwise, output an error indicator and exit this process without performing the remaining actions (i.e., omit steps 2 through 8).
  2. If reps > (232 −1), then output an error indicator and exit this process without performing the remaining actions (i.e., omit steps 3 through 8).
  3. Initialize a big-endian 4-byte unsigned integer counter as 0x00000000, corresponding to a 32-bit binary representation of the number zero.
  4. If counter || Z || FixedInfo is more than max_H_inputBits bits long, then output an error indicator and exit this process without performing any of the remaining actions (i.e., omit steps 5 through 8).
  5. Initialize Result(0) as an empty bit string (i.e., the null string).
  6. For i = 1 to reps, do the following: 6.1. Increment counter by 1. 6.2. Compute K(i) = H(counter || Z || FixedInfo). 6.3. Set Result(i) = Result(i – 1) ||K(i).
  7. Set DerivedKeyingMaterial equal to the leftmost L bits of Result(reps).
  8. Output DerivedKeyingMaterial.

We are using a SP800-56Cr1 KDF to derive 256-bit DerivedKeyingMaterial. We’re using a SHA-512 hash as the function “H”, as allowed by Option 1 in Section 4.1. Although the specification limits max_H_inputBits to the output size of the hash function why is the minimum L value limited to 512-bits when using the SHA2_D512 function?

livebe01 commented 3 years ago

Hi @EdSmith-Viasat, sorry for the slow reply. The minimum L value shouldn't be limited to 512-bits. We'll look into this. It seems like the proper bound should be minimum 112 bits

GlennUL commented 3 years ago

@livebe01 Is there any update on this issue?

livebe01 commented 3 years ago

Working on this now. Apologies on the delay.

livebe01 commented 3 years ago

This Fix is now on Demo

Kritner commented 3 years ago

This change is on production in release v1.1.0.20