ACVP icon indicating copy to clipboard operation
ACVP copied to clipboard

Published 20 hours ago verified publisher icon usnistgov

Kerberos KDF

Open bfussell opened this issue 2 years ago • 2 comments

Has there been any thought to adding Kerberos KDF testing ? Many of the linux distros utilize it and it supports FIPS compliant crypto for KDF generation.

Thanks !

bfussell avatar Apr 04 '22 19:04 bfussell

Do you have a specification or something that outlines it? I'm not familiar.

celic avatar Apr 05 '22 15:04 celic

RFC3961 has the KDF in section 5.1(exists in openssl 3.0), however there is a bunch of updated/deprecated and best practice RFCs since then.

https://datatracker.ietf.org/doc/search?name=kerberos&sort=&rfcs=on&activedrafts=on&by=group&group=

bfussell avatar Apr 05 '22 16:04 bfussell

Hi @bfussell - Are you looking for an official NIST KDF Kerebos certification implementation, or just looking for test vector set gen/val?

jbrock24 avatar Feb 13 '23 19:02 jbrock24

Neither presently. At that time I was asking since OpenSSL 3.0 had a KDF in their FIPS Providr but it wasn't listed as FIPS approved.

bfussell avatar Feb 13 '23 20:02 bfussell

OK, thanks! Just for the record, the certification would require a CMVP assessment to make sure the algo fits specs, and the test vector set gen/val would be a lack of resources to implement presently given the present need. Thanks for the question!

jbrock24 avatar Feb 13 '23 21:02 jbrock24