Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API support for DRBG #105

Open
ndevillard opened this issue Oct 6, 2023 · 3 comments
Open

API support for DRBG #105

ndevillard opened this issue Oct 6, 2023 · 3 comments
Labels
API design Related the design of the API Crypto API Issue or PR related to the Cryptography API enhancement New feature or request

Comments

@ndevillard
Copy link
Contributor

Add support for DRBG. This is needed for compatibility with Automotive security systems such as described by AUTOSAR/SHE or SAE J3101, which recommend following NIST recommendations described in SP 800-90A (Recommendation for RNG using DRBG). A simple API may include Instantiate, Reseed, Generate, maybe also Test, Uninstantiate.
@athoelke athoelke added enhancement New feature or request API design Related the design of the API Crypto API Issue or PR related to the Cryptography API labels Oct 6, 2023
@gilles-peskine-arm
Copy link
Contributor

The key derivation can support DRBG, but it's not a great fit.

The lifecycle of a key derivation is:

  1. Setup — psa_key_derivation_setup
  2. Repeat as necessary: pass input (some inputs can be mandatory) — psa_key_derivation_input_bytes
  3. Repeat as necessary: extract output — psa_key_derivation_output_bytes
  4. Abort — psa_key_derivation_abort

The lifecycle of a DRBG is similar enough that it's possible to reuse the same functions, however there are major differences:

  • You can reseed at any time, not just initially — psa_key_derivation_input_bytes can be called again after psa_key_derivation_output_bytes.
  • Reseeding multiple times is not passing a seed incrementally (which is a desirable thing in some scenarios involving KDF, but would be strange with a DRBG) — psa_key_derivation_input_bytes(INPUT_SEED, seed1); psa_key_derivation_input_bytes(INPUT_SEED, seed2) is not equivalent to `psa_key_derivation_input_bytes(INPUT_SEED, concatenate(seed1, seed2))
  • it matters how you slice the output — psa_key_derivation_output_bytes(out1, len1); psa_key_derivation_output_bytes(out1 + len1, len2); is not equivalent to psa_key_derivation_output_bytes(out1, len1 + len2);

So it may be better to use a different family of functions.

@gilles-peskine-arm
Copy link
Contributor

Another type of cryptographic primitive that has nearly the same interface is the sponge construction. It's a bit hard to see what the exact primitive is because in practice, the one sponge that comes up is Keccak. The sponge construction, or more precisely, what the Keccak paper (§2.3) calls the duplex construction, allows alternating inputs and outputs (like DRBG), but treats the whole input and output as a stream (so inputs can be split freely as long as there's no intervening output without changing the result, and conversely outputs can be split freely and will give the same results as long as there's no intervening input).

@ndevillard
Copy link
Contributor Author

ndevillard commented Jan 16, 2024
edited
Loading

For reference: Classic AUTOSAR DRBG is described in Classic AUTOSAR Crypto Service Manager R22-11

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
API design Related the design of the API Crypto API Issue or PR related to the Cryptography API enhancement New feature or request
Projects
PSA Certified API development
Status: No status
Milestone
No milestone
Development

No branches or pull requests
3 participants
@athoelke @gilles-peskine-arm @ndevillard