Questions tagged [kbkdf]

A “Key Based Key Derivation Function” is a key derivation function that uses input key material with enough entropy, possibly augmented with additional info to compute output key material.

A “Key Based Key Derivation Function” is a key derivation function or kdf that uses input key material with enough entropy, possibly augmented with additional info to compute output key material.

You can find the definition and related information describing KBKDFs in the document: “Key Derivation using Pseudorandom Functions (SP 800-108) Validation System (KBKDFVS)”, Updated: April 23, 2013, Original: March 22, 2012, Sharon S. Keller, National Institute of Standards and Technology, Information Technology Laboratory, Computer Security Division

10 questions

votes

1 answer

Security of KDF1 and KDF2 (hash based KDF's)

It's still common to come across implementations of KDF1 and KDF2. Basically these are KDF's that simply derive multiple keys from the key seed and a counter: $K_i = \operatorname{KDF}(K_{master}, i) = \operatorname{H}(K_{master} | c)$ In this…

asked Apr 19 '14 at 16:41

Maarten Bodewes

96,351
14
169
323

votes

1 answer

AES vs. SHA2 in key-stream generation

A KDF in Counter Mode (e.g., see NIST SP 800-108r1, Section 4.1, similar to HKDF) produces the output as what AES-CTR would do if one replaces AES with SHA2 (or, to be exact, with HMAC). However, NIST, Section 6.3 does not recommend using the…

aes sha-256 stream-cipher xor kbkdf

asked Dec 18 '22 at 16:20

uk-ny

votes

2 answers

How to specify a NIST SP 800-108 KBKDF

Strange question maybe, but say I want to specify a protocol that complies with NIST SP 800-108. This lists a whole set of key based key derivation functions, with a very loose set of parameters. How should I identify the KDF used? It seems that the…

nist asn.1 key-derivation kbkdf

asked Apr 26 '14 at 15:30

Maarten Bodewes

96,351
14
169
323

votes

1 answer

Key Derivation from random salted seed, HMAC and HMAC based KDF

I would like to generate a key which would be good enough to be used for encryption with AES in a mobile environment. My idea is to use as a seed ''random attributes'' from a mobile device. Is hashing first this seed using HMAC construction (with…

hmac salt key-derivation kbkdf

asked Jul 25 '14 at 12:35

Hashed

votes

0 answers

Inconsistency Between NIST SP800-108 and KBKDFVS

I am attempting to implement a Key Based Key Derivation Function (KBKDF) in Counter Mode as part of a larger project. To test my implementation, I was directed towards the Verification System for this function (KBKDFVS) by this helpful question &…

nist kbkdf

asked Sep 01 '20 at 12:24

Luke Kennedy

votes

2 answers

Where can I find official test vectors for NIST SP 800-56C r1 Single Step KDF

NIST 800-56Cr1 describes a single and two (extract-expand) step KDF designed for use in key agreement routines. NIST declares that HKDF (RFC5869) is a version of the two-step variation so test vectors can be found in the RFC. However I am not able…

key-derivation hkdf test-vectors kbkdf

asked Nov 18 '18 at 08:50

Patrick

votes

1 answer

HKDF - Generating a new, random salt per user?

Regarding HKDF, the specification says a salt may be re-used. However, I have set up my system to generate a new, long and cryptographically random salt that persists with the user. This salt is not a secret. (See the RFC, section 3.1) In addition,…

hkdf kbkdf

asked Sep 19 '18 at 21:31

jrl

vote

1 answer

Is using HMAC signature as a long-term password secure?

I'm considering implementing an authentication service without storing users' passwords/hash. I want to use a key derivation function with a corresponding username and a master secret key to calculate the password of the user(user is actually a…

authentication authenticated-encryption pbkdf kbkdf

asked Oct 15 '19 at 07:42

user2828102

votes

0 answers

Is it possible to perform a "KDF flooding" attack to exhaust all contexts c of a KDF and make it unusable?

I'm actually working on KDF (Key Derivation Function) and specificialy on the HKDF paper from CRYPTO-2010. Let's consider the following HKDF oracle : $KDF(\sigma, r, c, l)$ where : $\sigma$ : Raw data from which the KDF is to derive the…

key-derivation hkdf kbkdf

asked Dec 03 '24 at 17:20

Baptoo

votes

1 answer

Is keccak256 (and similar hash functions) a suitable KBKDF for 256-bit keys?

Let's temporarily work upon the assumption that proper KBKDF functions do not exist, for the sake of argument. Would keccak256 be a secure choice for a KBKDF that derives 256-bit keys from a 256-bit master secret $k_{256}$ with an arbitrary-length…

hash key-derivation kbkdf

asked Jul 19 '23 at 08:34

rrrrrrrrrrrrrrrr