kDF密鑰派生函數

Rust實現

目錄

• kDF密鑰派生函數
  • Extraction-then-Expansion(E-E) Key Derivation Procedure
    • Internet Key Exchange(IKE)
      • IKEv1-KDF
      • IKEv2-KDF
    • TLS-KDF
  • 其它應用特定的KDF
    • ANS X9.63-KDF
    • SecureShell(SSH)-KDF
    • SecureRealTimeTransportProtocol(SRTP)-KDF
    • SimpleNetworkManagementProtocol(SNMP)-KDF
    • TrustedPlatformModule(TPM)-KDF
  • 參考資料

Extraction-then-Expansion(E-E) Key Derivation Procedure

graph TD; id1(KeyAgreementPrimitive) -.SharedSecret.-> id2(ExtractionStep) id2 -.KeyDerivationKey.-> id3(ExpansionStep) id3 -.DerivedKeyingMaterial, k1..ki..kn.-> id4(KDF) id4 -.- id5(DerivedKeingMaterial)

• SP 800-56C中定義了ExtractionStep->ExpansionStep;
• SP 800-108中定義了ExpansionStep;

Internet Key Exchange(IKE)

IKEv1-KDF

• RFC 2409;
• \(g^{xy}\): Diffie-Hellman(DH) key exchange value, also called DH shared key;
• \(a || b\): 表示字符串b拼接在字符串a后;

當數字簽名(digital signature)用於認證時: \(SKEYID=HMAC(Ni_b || Nr_b, g^{xy})\), \(Ni_b, Nr_b\)是non-secret values;

當公鑰算法(public key algorithm)用於認證時: \(SKEYID=HMAC(HASH(Ni_b||Nr_b), CKY-I||CKY-R)\), \(Ni_b, Nr_b\)是secret nonces, \(CKY-I, CKY-R\)是non-secret values;

當預共享密鑰(pre-shared key)用於認證時: \(SKEYID=HMAC(pre\_shared\_key, Ni_b||Nr_b)\), \(Ni_b, Nr_b\)是non-secret values;

\(SKEYID_d=HMAC(SKEYID, g^{xy}||CKY-I||CKY-R||0)\), \(SKEYID_d\)用作密鑰派生密鑰, 為新的協商SA(security association)生成新的鑰材(Key Material);

\(SKEYID_a=HMAC(SKEYID, SKEYID_d||g^{xy}||CKY-I||CKY-R||1\), \(SKEYID_a\)用作HMAC密鑰, 以認證當前的SA消息;

\(SKEYID_e = HMAC (SKEYID, SKEYID_a || g^{xy} || CKY-I || CKY-R || 2)\), \(SKEYID_e\)用於密鑰派生密鑰, 以派生對稱加密密鑰, 為當前SA消息提供授信;

IKEv2-KDF

• RFC 4306
• \(g^{ir}\): Diffie-Hellman(DH) key exchange value, also called DH shared key;

\(SKEYSEED=HMAC(Ni||Nr, g^{ir})\), \(SKEYSEED\)作為密鑰派生密鑰, 用於ExpansionStep, \(Ni, Nr\)是non-secret nonce.

TLS-KDF

• RFC 2246;
• RFC 4346;

其它應用特定的KDF

ANS X9.63-KDF

• ANS X9.63

記有數據\(Z\), 哈希函數\(Hash\)(hash值的字節長度為\(l\)), 需要輸出的密鑰數據字節長度位\(k\), 及可選的附加數據\(SharedInfo\);

• \(Counter=0x00000001\);
• 從\(i=0\)迭代到\(\lceil k/l \rceil\):
  • \(K_i=Hash(Z||Counter||SharedInfo)\);
  • \(Counter+=1\)
• 取\(K_0||K_1||\dots ||K_{\lceil k/l \rceil}\)最左邊\(k\)個字節賦給\(K\);
• 輸出\(K\);

符號說明: \(X||Y\): 表示\(Y\)拼接在\(X\)之后;

SecureShell(SSH)-KDF

• RFC4251;
• RFC4252;
• RFC4253;
• RFC4254;

SecureRealTimeTransportProtocol(SRTP)-KDF

• RFC3550;
• RFC3711;
• RFC6188;

SimpleNetworkManagementProtocol(SNMP)-KDF

• RFC2571;
• RFC2574;

TrustedPlatformModule(TPM)-KDF

• TPM Principles;
• TPM Structures;
• TPM Commands;

參考資料

[1]. Standars for Efficient Cryptography 1 (SEC1: Elliptic Curve Cryptography), Daniel R.L.Brown;
[2]. ANSI-X9.63-KDF;
[3]. IKEv2-KDF;
[4]. TLS-KDF;
[5]. NIST-800-56-Concatenation-KDF;
[6]. SP 800-135r1;