> On Jan 7, 2019, at 11:09 PM, Stephan Mueller <smuel...@chronox.de> wrote: > > Am Dienstag, 8. Januar 2019, 06:03:58 CET schrieb Herbert Xu: > > Hi Herbert, > >> Are we going to have multiple implementations for the same KDF? >> If not then the crypto API is not a good fit. To consolidate >> multiple implementations of the same KDF, simply provide helpers >> for them. > > It is unlikely to have multiple implementations of a KDF. However, KDFs > relate > to hashes like block chaining modes to raw block ciphers. Thus a KDF can be > applied with different hashes. > > My idea was to add template support to RNGs (because KDFs are effectively a > type of RNG since they produce an arbitrary output from a fixed input). The > KDFs would be a template wrapping hashes. For example, the CTR-KDF from > SP800-108 could be instantiated like kdf-ctr(sha256). > >
I think that, if the crypto API is going to grow a KDF facility, it should be done right. Have a key type or flag or whatever that says “this key may *only* be used to derive keys using such-and-such algorithm”, and have a helper to derive a key. That helper should take some useful parameters and mix them in: - What type of key is being derived? ECDSA signing key? HMAC key? AES key? - Can user code access the derived key? - What is the key’s purpose? “Encrypt and authenticate a hibernation image” would be a purpose. - Number of bytes. All of these parameters should be mixed in to the key derivation. Also, an AE key, even for AES+HMAC, should be just one derived key. If you need 512 bits, ask for a 512-bit key, not two 256-bit keys.
