search

usnistgov / ACVP-Server

A repository tracking releases of NIST's ACVP server. See www.github.com/usnistgov/ACVP for the protocol.
46 stars 16 forks source link

SP 800-56C Rev 2 - TwoStep KDA #210

Closed mtdownz closed 1 year ago

mtdownz commented 2 years ago

When requesting SP 800-56C Rev 2 - TwoStep KDA vectors using the following parameters:

[
  { "acvVersion": "1.0" },
  {
    "isSample": true,
    "algorithms": [
      {
        "algorithm": "KDA",
        "mode": "TwoStep",
        "revision": "Sp800-56Cr2",
        "prereqVals": [
          {
            "algorithm": "HMAC",
            "valValue": "same"
          }
        ],
        "performMultiExpansionTests": true,
        "capabilities": [
          {
            "macSaltMethods": ["default"],
            "fixedInfoPattern": "uPartyInfo||vPartyInfo||l",
            "encoding": [ "concatenation" ],
            "kdfMode": "counter",
            "supportedLengths": [
              256
            ],
            "macMode": [ "HMAC-SHA2-256" ],
            "fixedDataOrder": ["before fixed data"],
            "counterLength": [ 32 ]
          }
        ],
        "l": 256,
        "z": [ 256 ]
      }
    ]
  }
]

We receive back a vector file with a saltLen field = 256 bits: image

Per SP 800-56C R2 Section 4.1 (page 12) states "If H(x) = HMAC-hash(salt, x), then – in the absence of an agreed-upon alternative – the default_salt shall be an all-zero byte string whose bit length equals that specified as the bit length of an input block for the hash function, hash. (Input-block lengths for the approved hash functions that can be employed to implement HMAC-hash are listed in Table 1 of Section 4.2.)"

This states that the default salt (saltLen) shall be all zeroes whose bit length = the input block length. For the above requested vectors using the approved function HMAC-SHA-256 this length should be 512 bits and is echoed in SP 800-56C Rev 2 - Table 2 (page 15). The vectors that we receive from ACVP have a saltLen = 256-bits. Although we can adjust on our end for this discrepancy, we feel this is a potential oversight on the ACVP system?

Thank you.

livebe01 commented 2 years ago

Hi @mtdownz, thank you for letting us know about this. As it happens, this was also an issue in OneStep and HKDF. We have addressed this and the fix will appear in release v1.1.0.26.

livebe01 commented 2 years ago

The fix for this is now on Demo, v1.1.0.25.

livebe01 commented 1 year ago

The fix for this is now on Prod in release v1.1.0.25.