DeriveMech_NISTKDFmGeneric API

The new mechanism is DeriveMech_NISTKDFmGeneric.

Parameters

The parameter structure is as follows:

struct M_DeriveMech_NISTKDFmGeneric_DKParams {
  M_DeriveMech_NISTKDFmGeneric_DKParams_flags flags;
  M_Word keylen;
  M_KeyType keytype;
  M_Mech prf;
  M_ByteBlock salt;
  M_ByteBlock context;
  M_ByteBlock iv;
  M_ByteBlock label;
  int n_fields;
  M_KDFField *fields;
  M_CipherText *kx;
};

flags

Flags word. See below.

keylen

Length of derived key in bits, e.g. 256

keytype

Type of derived key, e.g. KeyType_Rijndael

prf

PRF for randomness extraction and/or expansion, e.g. Mech_HMACSHA256

salt

Salt parameter for randomness extraction

context

Context parameter for expansion KDF

iv

Initial value parameter for KDF in feedback mode

label

Label parameter for expansion KDF

n_fields

Number of elements in field

fields

List of fields for expansion KDF (see below)

kx

Ciphertext for full key agreement

flags field

Possible flag bits are:

DeriveMech_NISTKDFmGeneric_DKParams_flags_kx_present

The kx field is present. The DeriveRole_BaseKey key is used to 'decrypt' the kx field, to produce the input to the subsequent KDF steps.

DeriveMech_NISTKDFmGeneric_DKParams_flags_Extract

Enable the extraction phase. If the Extract bit is set then both steps of the two-step KDF are performed. Otherwise only the second step is performed.

fields field

This gives the list of values to concatenate to form the input to the PRF, in SP800-108r1 s4.1 step 4(a) or s5.1 step 4(a). The following fields are supported:

KDFField_Counter1r1

The counter value, starting from 1, in a single byte

KDFField_Counter1r2BE

The counter value, starting from 1, in 2 bytes, in big-endian format

KDFField_Counter1r4BE

The counter value, starting from 1, in 4 bytes, in big-endian format

KDFField_Counter1r2LE

The counter value, starting from 1, in 2 bytes, in little-endian format

KDFField_Counter1r4LE

The counter value, starting from 1, in 4 bytes, in little-endian format

KDFField_Lengthr1

The length field, in a single byte

KDFField_Lengthr2BE

The length field, in 2 bytes, in big-endian format

KDFField_Lengthr4BE

The length field, in 4 bytes, in big-endian format

KDFField_Lengthr2L

The length field, in 2 bytes, in little-endian format

KDFField_Lengthr4LE

The length field, in 4 bytes, in little-endian format

KDFField_Label

The label field from the parameters

KDFField_Context

The context field from the parameters

KDFField_ZeroByte

A constant single-byte field with value 0

KDFField_Feedback

Feedback from the previous iteration, or the IV

There are some constraints which must be followed:

  • No field may appear more than once.

  • There can only be, at most, one counter field.

  • There can only be, at most, one length field.

  • There must be either a counter field or the feedback field (or both).