On Tue, 2021-02-16 at 11:04 -0800, Eric Biggers wrote: > On Tue, Feb 16, 2021 at 12:47:05PM -0500, Simo Sorce wrote: > > Some more info, sorry for the delay. > > > > Currently, as epxlained eralier, the HKDF is approved only in specific > > cases (from SP.800-56C rev 2), which is why I asked Jeff to inquire if > > KDF agility was possible for fscrypt. > > > > That said, we are also trying to get NIST to approve HKDF for use in > > SP800-133 covered scenarios (Symmetric Keys Derived from Pre-Existing > > Key), which is the case applicable to fscrypt (afaict). > > > > SP.800-133 currently only allows KDFs as defined in SP.800-108, but > > there is hope that SP.800-56C rev 2 KDFs can be alloed also, after all > > they are already allowed for key-agreement schemes. > > > > Hope this clears a bit why we inquired, it is just in case, for > > whatever reason, NIST decided not to approve or delays a decision; to > > be clear, there is nothing wrong in HKDF itself that we know of. > > > > Just getting HKDF properly approved seems like a much better approach than doing > a lot of work for nothing. Not just for fscrypt but also for everything else > using HKDF. Yes, this would be the ideal outcome! But I have to figure out the "what if" too .. > - Eric > -- Simo Sorce RHEL Crypto Team Red Hat, Inc
|