xref: /freebsd/crypto/openssl/doc/man7/EVP_KDF-SS.pod (revision 0d0c8621fd181e507f0fb50ffcca606faf66a8c2) 
1b077aed3SPierre Pronchery=pod
2b077aed3SPierre Pronchery
3b077aed3SPierre Pronchery=head1 NAME
4b077aed3SPierre Pronchery
5b077aed3SPierre ProncheryEVP_KDF-SS - The Single Step / One Step EVP_KDF implementation
6b077aed3SPierre Pronchery
7b077aed3SPierre Pronchery=head1 DESCRIPTION
8b077aed3SPierre Pronchery
9b077aed3SPierre ProncheryThe EVP_KDF-SS algorithm implements the Single Step key derivation function (SSKDF).
10b077aed3SPierre ProncherySSKDF derives a key using input such as a shared secret key (that was generated
11b077aed3SPierre Proncheryduring the execution of a key establishment scheme) and fixedinfo.
12b077aed3SPierre ProncherySSKDF is also informally referred to as 'Concat KDF'.
13b077aed3SPierre Pronchery
14*0d0c8621SEnji CooperThe output is considered to be keying material.
15*0d0c8621SEnji Cooper
16b077aed3SPierre Pronchery=head2 Auxiliary function
17b077aed3SPierre Pronchery
18b077aed3SPierre ProncheryThe implementation uses a selectable auxiliary function H, which can be one of:
19b077aed3SPierre Pronchery
20b077aed3SPierre Pronchery=over 4
21b077aed3SPierre Pronchery
22b077aed3SPierre Pronchery=item B<H(x) = hash(x, digest=md)>
23b077aed3SPierre Pronchery
24b077aed3SPierre Pronchery=item B<H(x) = HMAC_hash(x, key=salt, digest=md)>
25b077aed3SPierre Pronchery
26b077aed3SPierre Pronchery=item B<H(x) = KMACxxx(x, key=salt, custom="KDF", outlen=mac_size)>
27b077aed3SPierre Pronchery
28b077aed3SPierre Pronchery=back
29b077aed3SPierre Pronchery
30b077aed3SPierre ProncheryBoth the HMAC and KMAC implementations set the key using the 'salt' value.
31b077aed3SPierre ProncheryThe hash and HMAC also require the digest to be set.
32b077aed3SPierre Pronchery
33b077aed3SPierre Pronchery=head2 Identity
34b077aed3SPierre Pronchery
35b077aed3SPierre Pronchery"SSKDF" is the name for this implementation; it
36b077aed3SPierre Proncherycan be used with the EVP_KDF_fetch() function.
37b077aed3SPierre Pronchery
38b077aed3SPierre Pronchery=head2 Supported parameters
39b077aed3SPierre Pronchery
40b077aed3SPierre ProncheryThe supported parameters are:
41b077aed3SPierre Pronchery
42b077aed3SPierre Pronchery=over 4
43b077aed3SPierre Pronchery
44b077aed3SPierre Pronchery=item "properties" (B<OSSL_KDF_PARAM_PROPERTIES>) <UTF8 string>
45b077aed3SPierre Pronchery
46b077aed3SPierre Pronchery=item "digest" (B<OSSL_KDF_PARAM_DIGEST>) <UTF8 string>
47b077aed3SPierre Pronchery
48b077aed3SPierre ProncheryThis parameter is ignored for KMAC.
49b077aed3SPierre Pronchery
50b077aed3SPierre Pronchery=item "mac" (B<OSSL_KDF_PARAM_MAC>) <UTF8 string>
51b077aed3SPierre Pronchery
52b077aed3SPierre Pronchery=item "maclen" (B<OSSL_KDF_PARAM_MAC_SIZE>) <unsigned integer>
53b077aed3SPierre Pronchery
54b077aed3SPierre Pronchery=item "salt" (B<OSSL_KDF_PARAM_SALT>) <octet string>
55b077aed3SPierre Pronchery
56b077aed3SPierre ProncheryThese parameters work as described in L<EVP_KDF(3)/PARAMETERS>.
57b077aed3SPierre Pronchery
58e0c4386eSCy Schubert=item "key" (B<OSSL_KDF_PARAM_SECRET>) <octet string>
59b077aed3SPierre Pronchery
60b077aed3SPierre ProncheryThis parameter set the shared secret that is used for key derivation.
61b077aed3SPierre Pronchery
62b077aed3SPierre Pronchery=item "info" (B<OSSL_KDF_PARAM_INFO>) <octet string>
63b077aed3SPierre Pronchery
64b077aed3SPierre ProncheryThis parameter sets an optional value for fixedinfo, also known as otherinfo.
65b077aed3SPierre Pronchery
66b077aed3SPierre Pronchery=back
67b077aed3SPierre Pronchery
68b077aed3SPierre Pronchery=head1 NOTES
69b077aed3SPierre Pronchery
70b077aed3SPierre ProncheryA context for SSKDF can be obtained by calling:
71b077aed3SPierre Pronchery
72b077aed3SPierre Pronchery EVP_KDF *kdf = EVP_KDF_fetch(NULL, "SSKDF", NULL);
73b077aed3SPierre Pronchery EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
74b077aed3SPierre Pronchery
75b077aed3SPierre ProncheryThe output length of an SSKDF is specified via the I<keylen>
76b077aed3SPierre Proncheryparameter to the L<EVP_KDF_derive(3)> function.
77b077aed3SPierre Pronchery
78b077aed3SPierre Pronchery=head1 EXAMPLES
79b077aed3SPierre Pronchery
80b077aed3SPierre ProncheryThis example derives 10 bytes using H(x) = SHA-256, with the secret key "secret"
81b077aed3SPierre Proncheryand fixedinfo value "label":
82b077aed3SPierre Pronchery
83b077aed3SPierre Pronchery EVP_KDF *kdf;
84b077aed3SPierre Pronchery EVP_KDF_CTX *kctx;
85b077aed3SPierre Pronchery unsigned char out[10];
86b077aed3SPierre Pronchery OSSL_PARAM params[4], *p = params;
87b077aed3SPierre Pronchery
88b077aed3SPierre Pronchery kdf = EVP_KDF_fetch(NULL, "SSKDF", NULL);
89b077aed3SPierre Pronchery kctx = EVP_KDF_CTX_new(kdf);
90b077aed3SPierre Pronchery EVP_KDF_free(kdf);
91b077aed3SPierre Pronchery
92b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
93b077aed3SPierre Pronchery                                         SN_sha256, strlen(SN_sha256));
94b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
95b077aed3SPierre Pronchery                                          "secret", (size_t)6);
96b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
97b077aed3SPierre Pronchery                                          "label", (size_t)5);
98b077aed3SPierre Pronchery *p = OSSL_PARAM_construct_end();
99b077aed3SPierre Pronchery if (EVP_KDF_derive(kctx, out, sizeof(out), params) <= 0) {
100b077aed3SPierre Pronchery     error("EVP_KDF_derive");
101b077aed3SPierre Pronchery }
102b077aed3SPierre Pronchery
103b077aed3SPierre Pronchery EVP_KDF_CTX_free(kctx);
104b077aed3SPierre Pronchery
105b077aed3SPierre ProncheryThis example derives 10 bytes using H(x) = HMAC(SHA-256), with the secret key "secret",
106b077aed3SPierre Proncheryfixedinfo value "label" and salt "salt":
107b077aed3SPierre Pronchery
108b077aed3SPierre Pronchery EVP_KDF *kdf;
109b077aed3SPierre Pronchery EVP_KDF_CTX *kctx;
110b077aed3SPierre Pronchery unsigned char out[10];
111b077aed3SPierre Pronchery OSSL_PARAM params[6], *p = params;
112b077aed3SPierre Pronchery
113b077aed3SPierre Pronchery kdf = EVP_KDF_fetch(NULL, "SSKDF", NULL);
114b077aed3SPierre Pronchery kctx = EVP_KDF_CTX_new(kdf);
115b077aed3SPierre Pronchery EVP_KDF_free(kdf);
116b077aed3SPierre Pronchery
117b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
118b077aed3SPierre Pronchery                                         SN_hmac, strlen(SN_hmac));
119b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
120b077aed3SPierre Pronchery                                         SN_sha256, strlen(SN_sha256));
121e0c4386eSCy Schubert *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
122b077aed3SPierre Pronchery                                          "secret", (size_t)6);
123b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
124b077aed3SPierre Pronchery                                          "label", (size_t)5);
125b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
126b077aed3SPierre Pronchery                                          "salt", (size_t)4);
127b077aed3SPierre Pronchery *p = OSSL_PARAM_construct_end();
128b077aed3SPierre Pronchery if (EVP_KDF_derive(kctx, out, sizeof(out), params) <= 0) {
129b077aed3SPierre Pronchery     error("EVP_KDF_derive");
130b077aed3SPierre Pronchery }
131b077aed3SPierre Pronchery
132b077aed3SPierre Pronchery EVP_KDF_CTX_free(kctx);
133b077aed3SPierre Pronchery
134b077aed3SPierre ProncheryThis example derives 10 bytes using H(x) = KMAC128(x,salt,outlen), with the secret key "secret"
135b077aed3SPierre Proncheryfixedinfo value "label", salt of "salt" and KMAC outlen of 20:
136b077aed3SPierre Pronchery
137b077aed3SPierre Pronchery EVP_KDF *kdf;
138b077aed3SPierre Pronchery EVP_KDF_CTX *kctx;
139b077aed3SPierre Pronchery unsigned char out[10];
140b077aed3SPierre Pronchery OSSL_PARAM params[6], *p = params;
141b077aed3SPierre Pronchery
142b077aed3SPierre Pronchery kdf = EVP_KDF_fetch(NULL, "SSKDF", NULL);
143b077aed3SPierre Pronchery kctx = EVP_KDF_CTX_new(kdf);
144b077aed3SPierre Pronchery EVP_KDF_free(kdf);
145b077aed3SPierre Pronchery
146b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
147b077aed3SPierre Pronchery                                         SN_kmac128, strlen(SN_kmac128));
148e0c4386eSCy Schubert *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
149b077aed3SPierre Pronchery                                          "secret", (size_t)6);
150b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
151b077aed3SPierre Pronchery                                          "label", (size_t)5);
152b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
153b077aed3SPierre Pronchery                                          "salt", (size_t)4);
154b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_size_t(OSSL_KDF_PARAM_MAC_SIZE, (size_t)20);
155b077aed3SPierre Pronchery *p = OSSL_PARAM_construct_end();
156b077aed3SPierre Pronchery if (EVP_KDF_derive(kctx, out, sizeof(out), params) <= 0) {
157b077aed3SPierre Pronchery     error("EVP_KDF_derive");
158b077aed3SPierre Pronchery }
159b077aed3SPierre Pronchery
160b077aed3SPierre Pronchery EVP_KDF_CTX_free(kctx);
161b077aed3SPierre Pronchery
162b077aed3SPierre Pronchery=head1 CONFORMING TO
163b077aed3SPierre Pronchery
164b077aed3SPierre ProncheryNIST SP800-56Cr1.
165b077aed3SPierre Pronchery
166b077aed3SPierre Pronchery=head1 SEE ALSO
167b077aed3SPierre Pronchery
168b077aed3SPierre ProncheryL<EVP_KDF(3)>,
169b077aed3SPierre ProncheryL<EVP_KDF_CTX_new(3)>,
170b077aed3SPierre ProncheryL<EVP_KDF_CTX_free(3)>,
171b077aed3SPierre ProncheryL<EVP_KDF_CTX_set_params(3)>,
172b077aed3SPierre ProncheryL<EVP_KDF_CTX_get_kdf_size(3)>,
173b077aed3SPierre ProncheryL<EVP_KDF_derive(3)>,
174b077aed3SPierre ProncheryL<EVP_KDF(3)/PARAMETERS>
175b077aed3SPierre Pronchery
176b077aed3SPierre Pronchery=head1 HISTORY
177b077aed3SPierre Pronchery
178b077aed3SPierre ProncheryThis functionality was added in OpenSSL 3.0.
179b077aed3SPierre Pronchery
180b077aed3SPierre Pronchery=head1 COPYRIGHT
181b077aed3SPierre Pronchery
182b077aed3SPierre ProncheryCopyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.  Copyright
183b077aed3SPierre Pronchery(c) 2019, Oracle and/or its affiliates.  All rights reserved.
184b077aed3SPierre Pronchery
185b077aed3SPierre ProncheryLicensed under the Apache License 2.0 (the "License").  You may not use
186b077aed3SPierre Proncherythis file except in compliance with the License.  You can obtain a copy
187b077aed3SPierre Proncheryin the file LICENSE in the source distribution or at
188b077aed3SPierre ProncheryL<https://www.openssl.org/source/license.html>.
189b077aed3SPierre Pronchery
190b077aed3SPierre Pronchery=cut
191