documentation/extensions/crypto_concat_kdf.md


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111

# Concatenation Key Derivation Function (Concat KDF)

This document describes the OP-TEE implementation of the key derivation function
specified in section 5.8.1 of NIST publication [SP 800-56A](http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf), *Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography*. This function is known as *Concatenation KDF* or *Concat
KDF*.

You may disable this extension by setting the following configuration variable
in `conf.mk`:

    CFG_CRYPTO_CONCAT_KDF := n

## Implementation notes

All key and parameter sizes must be multiples of 8 bits. That is:
- Input parameters: the shared secret (*Z*) and *OtherInfo*
- Output parameter: the derived key (*DerivedKeyingMaterial*)

In addition, the maximum size of the derived key is limited by the size of an
object of type TEE_TYPE_GENERIC_SECRET (512 bytes).

This implementation does *not* enforce any requirement on the content of the
*OtherInfo* parameter. It is the application's responsibility to make sure this
parameter is constructed as specified by the NIST specification if compliance
is desired.


## API extension

To support the Concat KDF, the *GlobalPlatform TEE Internal API Specification
v1.0* was extended with new algorithm descriptors, new object types, and new
object attributes as described below.

### p.95 Add new object type to TEE_PopulateTransientObject

The following entry shall be added to Table 5-8:

Object type           | Parts
:---------------------|:--------------------------------------------
TEE_TYPE_CONCAT_KDF_Z | The TEE_ATTR_CONCAT_KDF_Z part (input shared secret) must be provided.

### p.121 Add new algorithms for TEE_AllocateOperation

The following entry shall be added to Table 6-3:

Algorithm                   | Possible Modes
:---------------------------|:--------------
TEE_ALG_CONCAT_KDF_SHA1_DERIVE_KEY <br> TEE_ALG_CONCAT_KDF_SHA224_DERIVE_KEY <br> TEE_ALG_CONCAT_KDF_SHA256_DERIVE_KEY <br> TEE_ALG_CONCAT_KDF_SHA384_DERIVE_KEY <br> TEE_ALG_CONCAT_KDF_SHA512_DERIVE_KEY <br> TEE_ALG_CONCAT_KDF_SHA512_DERIVE_KEY | TEE_MODE_DERIVE

### p.126 Explain usage of HKDF algorithms in TEE_SetOperationKey

In the bullet list about operation mode, the following shall be added:

    * For the Concat KDF algorithms, the only supported mode is TEE_MODE_DERIVE.

### p.150 Define TEE_DeriveKey input attributes for new algorithms

The following sentence shall be deleted:

    The TEE_DeriveKey function can only be used with the algorithm
    TEE_ALG_DH_DERIVE_SHARED_SECRET

The following entry shall be added to Table 6-7:

Algorithm                   | Possible operation parameters
:---------------------------|:-----------------------------
TEE_ALG_CONCAT_KDF_SHA1_DERIVE_KEY <br> TEE_ALG_CONCAT_KDF_SHA224_DERIVE_KEY <br> TEE_ALG_CONCAT_KDF_SHA256_DERIVE_KEY <br> TEE_ALG_CONCAT_KDF_SHA384_DERIVE_KEY <br> TEE_ALG_CONCAT_KDF_SHA512_DERIVE_KEY <br> TEE_ALG_CONCAT_KDF_SHA512_DERIVE_KEY | TEE_ATTR_CONCAT_KDF_DKM_LENGTH: up to 512 bytes. This parameter is mandatory. <br> TEE_ATTR_CONCAT_KDF_OTHER_INFO

### p.152 Add new algorithm identifiers

The following entries shall be added to Table 6-8:

Algorithm                            | Identifier
:------------------------------------|:----------
TEE_ALG_CONCAT_KDF_SHA1_DERIVE_KEY   | 0x800020C1
TEE_ALG_CONCAT_KDF_SHA224_DERIVE_KEY | 0x800030C1
TEE_ALG_CONCAT_KDF_SHA256_DERIVE_KEY | 0x800040C1
TEE_ALG_CONCAT_KDF_SHA384_DERIVE_KEY | 0x800050C1
TEE_ALG_CONCAT_KDF_SHA512_DERIVE_KEY | 0x800060C1

### p.154 Define new main algorithm

In Table 6-9 in section 6.10.1, a new value shall be added to the value column
for row bits [7:0]:

Bits       | Function                                       | Value
:----------|:-----------------------------------------------|:-----------------
Bits [7:0] | Identifiy the main underlying algorithm itself | ...<br>0xC1: Concat KDF

The function column for bits[15:12] shall also be modified to read:

Bits         | Function                                     | Value
:------------|:---------------------------------------------|:-----------
Bits [15:12] | Define the message digest for asymmetric signature algorithms or Concat KDF |

### p.155 Add new object type for Concat KDF input shared secret

The following entry shall be added to Table 6-10:

Name                              | Identifier | Possible sizes
:---------------------------------|:-----------|:--------------------------------
TEE_TYPE_CONCAT_KDF_Z             | 0xA10000C1 | 8 to 4096 bits (multiple of 8)

### p.156 Add new operation attributes for Concat KDF

The following entries shall be added to Table 6-11:

Name                               | Value      | Protection | Type  | Comment
:----------------------------------|:-----------|:-----------|:------|:--------
TEE_ATTR_CONCAT_KDF_Z              | 0xC00001C1 | Protected  | Ref   | The shared secret (*Z*)
TEE_ATTR_CONCAT_KDF_OTHER_INFO     | 0xD00002C1 | Public     | Ref   | *OtherInfo*
TEE_ATTR_CONCAT_KDF_DKM_LENGTH     | 0xF00003C1 | Public     | Value | The length (in bytes) of the derived keying material to be generated, maximum 512. This is *KeyDataLen* / 8.