KAS1-basic / why is C included in the FixedInfo?

[szendros]

environment Demo

testSessionId 438361

vsId 1827248

Algorithm registration "algorithm":"KAS-IFC", "revision":"Sp800-56Br2", "function":[ "keyPairGen" ], "iutId":"0123456789abcdef", "keyGenerationMethods":[ "rsakpg2-basic" ], "modulo":[ 2048, 3072, 4096 ], "scheme":{ "KAS1-basic":{ "kasRole":[ "initiator", "responder" ], "kdfMethods":{ "oneStepKdf":{ "auxFunctions":[ { "auxFunctionName":"SHA2-256", "macSaltMethods":[ "random" ] } ], "fixedInfoPattern":"uPartyInfo||vPartyInfo", "encoding":[ "concatenation" ] } }, "l":1024 } } }

Endpoint in which the error is experienced https://demo.acvts.nist.gov/acvp/v1/testSessions GET

Expected behavior When the derived key (dkm) is derived from shared secret Z, the FixedInfo used in the kdf (as salt) is the following (we found this in the source code of acvp-server): uPartyId || C || vPartyId || Nv We cannot find any reference for including the value of C (ciphertext) in the FixedInfo after reading through all NIST Special Publication 800-56A/B/C. Can you tell us what the source of including C in the FixedInfo is?

Additional context

[livebe01]

Hi @szendros, the valid fixedInfo pattern components should be these: https://pages.nist.gov/ACVP/draft-hammett-acvp-kas-ifc.html#name-fixedinfopatternconstructio. Where are you seeing uPartyId || C || vPartyId || Nv in the source code? Can you provide a link?

[szendros]

I had to create new testvectors as the ones mentioned in the issue were deleted from my computer. The registration and environment is the same.

testSessionId 440102

vsId 1833566

For tcId:1 the value of Z (computed from the testvectors) is: 549490a5cbe3cd4e4e6c90d39e8e4c7f5dfe7d316937c984e62c983eddeaa84b f4ec61c65d063e64af8adbe1791646c82b9744f3303810b65beeab0a477cd829 4d09eae4567817a1f1ad6a79ed25739237dfbbb514f555dfd1b83e74a8301219 04c906eca97ea8e74c58e98517e26e9a63533b5a96dcf253f69362ff5f63fada 33825b5cbfd7e6733a519106494c7333b79ed8a20b469c6025c5c38ff1e239de 5f32d18a1526383cf647a0323c1819ba2354e198425a0d050d7182f813dcbada 84ce1f6206968899361bfd184ba9d2a8bdd66cabbdbdad7f94d8219ebf6f57f4 5fecdc0ec0d6918fff9e56efdaa1dd2e1042676ad119c760dde039972587388c 0ad7ba29d7e2ea25413dc5841d8a5fcd6f4625f7fc61cc1a15b3f0abfcd2ccc5 237379396f4d74353a64cc9d34dc14cd8b3569f14c5b0084112a764c1725890d daf9613257eb03d9387253fde6dd448c0008d086dfa7be85a6d1247326aca88d 61b27b796914d65cbb49990be0a655359e9df9c0b2eabf5572ca472d47bf22d1 7e34a33b13e22afac883709ffd314fedff6c32497e26c205ee8e5c930f9ee02c e8963d309455a2d0e777e675f0ade4cf5e56cc28eb0a67bc643790b5b31172af f8614ce101ae43cb941e54e6e2273d7e430fa5814dd98d34783eded72036ef3b 5ec99c2d2c28df03d71a01793fe0fa430fb1eca24dd078958e7909e0b11ae696

After applying the kdf the value of dkm should be: 2E1EAB1207358425E112F25D1376DC1C7867AD815916094299C5A865B2DA475D 94FEAF7AC3EC059C03A95367051D936B81E5DF0F5200C34D996C94333F60E3A6 2B583E58E929872ED1DB0A6B5B8DBA1E0573529D5B0C7BF50E99EB460A8E0842 7A2E3E9B982F38D19D395BC8ECC86EF590AF12ECFE37B67E222DC592F0C88009

For the given inputs (iutNonce, iutid, serverId) the only way to derive dkm as that is to use this as a salt: serverId || C || uitId || iutNonce

So the ACVP-Server definitely uses C as an input into the kdf.

As for the source code, we cannot run or debug the acvp-server code, but we suspect that the lines in SchemeBaseKasOneKeyPair (https://github.com/usnistgov/ACVP-Server/blob/0814d0b64616bfdeddcd3f6f4261a209fe5a97a6/gen-val/src/crypto/src/NIST.CVP.ACVTS.Libraries.Crypto/KAS/Scheme/Ifc/SchemeBaseKasOneKeyPair.cs )should be related to using C in the kdf: initiatorData = otherPartyKeyingMaterial.C; responderData = ThisPartyKeyingMaterial.DkmNonce;

We see that using the the nonce as an input is coming from the Nist 800-56b, but we cannot see where using the C as an input the kdf is coming from.

[livebe01]

Great, thanks for the additional information. I'll take a look and get back to you.

[jbrock24]

Hi @szendros - C is used here as EphermeralData before the return of the method data/link from a previous post.

_kdfParameter.SetEphemeralData(initiatorData, responderData);

Within the fixedInfoPattern, you have it set to "fixedInfoPattern":"uPartyInfo||vPartyInfo",.

The EphemeralData in this case is the CipherText, in part. It's obtained from here and here.

These are called from uPartyInfo inclusion to the FixedInfoPattern here.

Section 7.7.1.3 FixedInfoPatterConstruction of the spec sheet shows that it's an optional data set to be included.

Two bullet points there, the latter being the key, I believe:

• "optional" items such as ephemeralKey MUST be included when available for ACVP testing.
• For the purposes of the testing defined in this specification, the u(v)PartyInfo value used to create the fixedInfo that is input to the key derivation function SHALL take the form of "uPartyId { || ephemeralKey } { || ephemeralNonce } { || dkmNonce }".

Thank you and please let me know if this helps!

[sandor-szendro-i4p]

Hi, as I understand this using gthis ephemeral data is optional in normal operation, but must be used in ACVP. Is it OK then, in our API for KTS-IFC to include an option whether the ephemeral data (C) is used in FIPS approved mode?

Thank you

[jbrock24]

That should be fine.

[sandor-szendro-i4p]

Thank you, this can be closed.