Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Need to specify clearly how to invoke HKDF in a FIPS-compliant way #93

Open
ounsworth opened this issue Nov 18, 2024 · 7 comments
Open

Comments

@ounsworth
Copy link
Contributor

Currently we just treat it as a generic KDF.

We need to take a much closer look at how to define the HKDF-SHA256 combo in a way that is 800-56Cr2 compliant. Technically HKDF (RFC 5869) is allowed under the 2-Step method, but it requires some careful alignment of inputs on the HKDF-Expand step. But in our case we only need to use the HKDF-Extract step for the combiner.

Fix: either specify that we only use the HKDF-Extract() step from RFC 5869, or else just use HMAC directly from RFC 2104

https://datatracker.ietf.org/doc/rfc2104/

@chris-wood
Copy link
Contributor

@ounsworth this is a dupe of #87, I think?

@chris-wood
Copy link
Contributor

In any case, I would recommend just dropping HKDF altogether. Since you're composing with ML-KEM, you already have SHA-3 available, so you might as well just use SHA3-256 as the one KDF across the board. What do you think?

@ounsworth
Copy link
Contributor Author

ounsworth commented Nov 19, 2024

In any case, I would recommend just dropping HKDF altogether. Since you're composing with ML-KEM, you already have SHA-3 available, so you might as well just use SHA3-256 as the one KDF across the board. What do you think?

Aww dude, you're like a year late to this debate. Both Joe Saloway and Deb Cooley were adamant that just because you have an ML-KEM implementation (potentially in a USB smartcard or something) does not mean that you have SHA3 available in, say, the Outlook S/MIME implementation that's gonna do the KEM Combining.

We have spent an inordinate amount of time fine-tuning a range of SHA2 and SHA3 offerings that everyone involved are happy with. Please don't re-open this can of worms.

@ounsworth
Copy link
Contributor Author

@ounsworth this is a dupe of #87, I think?

Certainly related. There's a much larger discussion going on relating to how to make the SHA2-based combiner FIPS compatible. Russ is currently proposing that we ditch HKDF and specify raw usage of HMAC. This also has implications for CMS in general since the KEMRecipientInfo RFC that we just published (RFC 9629) has the same problem in that it is non FIPS compliant when used with id-alg-hkdf-with-sha256.

Please hold. I'll update github issues once my Outlook stops emitting smoke.

@chris-wood
Copy link
Contributor

I'm sorry, but I don't buy the argument that ML-KEM will be available and SHA-3 will not. Where is discussion about this taking place?

@ounsworth
Copy link
Contributor Author

ounsworth commented Jan 5, 2025

I'm sorry, but I don't buy the argument that ML-KEM will be available and SHA-3 will not. Where is discussion about this taking place?

I don't particularly care one way or another, but the request for SHA2 combiners came from Deb Cooley on behalf of NSA. Here's the PQUIP 118 recording where she made her case: https://youtu.be/W46QrMvlLZU?feature=shared&t=5655

Joe Saloway made a similar request (but not on-recording). If you want the SHA2 combiners to be ditched, then you'll need to get Deb and Joe to withdraw their requests for it.

@ounsworth
Copy link
Contributor Author

@ounsworth this is a dupe of #87, I think?

Not an exact dupe, this one is about how to make it FIPS-compliant, while #87 is about correctly calling the HKDF API. I'll adjust the title to reflect that.

@ounsworth ounsworth changed the title Need to specify clearly how to invoke HKDF Need to specify clearly how to invoke HKDF in a FIPS-compliant way Jan 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants