Additional supported KDF func w/ HSE

Changhawn — Thu, 28 Nov 2024 08:31:51 GMT

I need KDF function w/HSE , which follow specification of NIST Special Publication 800-56A(The KDF shall be the “concatenation KDF”)

1. Do you have any guide or related code about this?

2. Below code is KDF function w/o HSE(all the paramters is string), If change as KDF func w/ HSE. parameter "sharedSecret" is changed as Key handle. In that case, could you guide and tell how to modify?

Thank u.

int concatKDF(uint8_t *key, unsigned int keyLen, const uint8_t *sharedSecret, unsigned int sharedSecretLen,

const uint8_t *otherInfo, unsigned int otherInfoLen)

{

const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);

mbedtls_md_context_t md;

uint8_t hash[32]; /* SHA256 Info Length is 32 */

uint32_t hashLen;

uint32_t formatted;

uint8_t counter[4];

uint32_t N;

uint32_t offset;

uint32_t amt;

uint32_t minlen;

int rc = 0;

uint32_t i;

const void *res;

{

mbedtls_md_init(&md);

rc = mbedtls_md_setup(&md, md_info, 1);

if (rc != 0)

{

SYS_CONSOLE_PRINT("!!! mbedtls_md_init_ctx returned %d\r\n", rc);

rc = -1;

}

else

{

hashLen = mbedtls_md_get_size(md_info);

if (hashLen > 0u)

{

N = ((unsigned int)keyLen + hashLen - 1u) / hashLen;

offset = 0;

amt = keyLen;

for (i = 1; i <= N; i++)

{

formatted = htonl(i);

counter[0] = (uint8_t)(formatted >> 0) & 0xffu;

counter[1] = (uint8_t)(formatted >> & 0xffu;

counter[2] = (uint8_t)(formatted >> 16) & 0xffu;

counter[3] = (uint8_t)(formatted >> 24) & 0xffu;

rc = mbedtls_md_starts(&md);

rc = mbedtls_md_update(&md, counter, sizeof(counter));

rc = mbedtls_md_update(&md, sharedSecret, sharedSecretLen);

rc = mbedtls_md_update(&md, otherInfo, otherInfoLen);

rc = mbedtls_md_finish(&md, hash);

if (rc != 0)

{

;

}

minlen = (hashLen < amt) ? hashLen : amt;

res = memcpy(&key[offset], hash, (size_t)minlen);

offset += hashLen;

amt = (amt > hashLen) ? (amt - hashLen) : 0u;

}

mbedtls_md_free(&md);

}

else

{

SYS_CONSOLE_PRINT("!!! hash length(md_info size) is zero\r\n");

rc = -1;

}

} while (false);

return rc;

}

Re: Additional supported KDF func w/ HSE

lukaszadrapa — Sat, 30 Nov 2024 14:57:57 GMT

Hi @Changhawn

Follwing algorithms are supported by HSE:

I can see in the source codes that only HSE_KDF_ALGO_TLS12PRF in HSE_Tls12Prf() is used in the NXP port.

So, you can check that function to see how to prepare descriptor to call such service.

Or "S32K344_DemoApp_SessionKeys" example in this package:
https://www.nxp.com/webapp/Download?colCode=S32K3_HSE_DemoExamples
... shows how to call HSE_SRV_ID_KEY_DERIVE.

Regards,
Lukas

Re: Additional supported KDF func w/ HSE

Changhawn — Sun, 01 Dec 2024 02:49:00 GMT

Dear @lukaszadrapa

I need to drive KEY by NIST KDF SP800 56A spec.

Like below picture, I know that HSE is not support KDF SP800 56A .

If it is possible to implement , please let me know.

Thank u.

Chang.

Re: Additional supported KDF func w/ HSE

Changhawn — Thu, 05 Dec 2024 05:14:21 GMT

Dear NXP guys.

In KDF, I know that NIST 800-56A is not supported currently in NXP HSE.

So implemented it without HSE.

S32K中的主题 Re: Additional supported KDF func w/ HSE

Additional supported KDF func w/ HSE

Re: Additional supported KDF func w/ HSE

Re: Additional supported KDF func w/ HSE

Re: Additional supported KDF func w/ HSE