On Tue, Feb 16, 2021 at 12:47:05PM -0500, Simo Sorce wrote: > Some more info, sorry for the delay. > > Currently, as epxlained eralier, the HKDF is approved only in specific > cases (from SP.800-56C rev 2), which is why I asked Jeff to inquire if > KDF agility was possible for fscrypt. > > That said, we are also trying to get NIST to approve HKDF for use in > SP800-133 covered scenarios (Symmetric Keys Derived from Pre-Existing > Key), which is the case applicable to fscrypt (afaict). > > SP.800-133 currently only allows KDFs as defined in SP.800-108, but > there is hope that SP.800-56C rev 2 KDFs can be alloed also, after all > they are already allowed for key-agreement schemes. > > Hope this clears a bit why we inquired, it is just in case, for > whatever reason, NIST decided not to approve or delays a decision; to > be clear, there is nothing wrong in HKDF itself that we know of. > Just getting HKDF properly approved seems like a much better approach than doing a lot of work for nothing. Not just for fscrypt but also for everything else using HKDF. - Eric
|