10.6. Key derivation¶
A key derivation encodes a deterministic method to generate a finite stream of bytes. This data stream is computed by the cryptoprocessor and extracted in chunks. If two key derivation operations are constructed with the same parameters, then they produce the same output.
A key derivation consists of two phases:
Input collection. This is sometimes known as extraction: the operation “extracts” information from the inputs to generate a pseudorandom intermediate secret value.
Output generation. This is sometimes known as expansion: the operation “expands” the intermediate secret value to the desired output length.
The specification defines a multi-part operation API for key derivation that allows:
Multiple key and non-key outputs to be produced from a single derivation operation object.
Key and non-key outputs can be extracted from the key derivation object, or compared with existing key and non-key values.
Algorithms that require high-entropy secret inputs. For example
PSA_ALG_HKDF
.Algorithms that work with low-entropy secret inputs, or passwords. For example
PSA_ALG_PBKDF2_HMAC()
.
An implementation with isolation has the following properties:
The intermediate state of the key derivation is not visible to the caller.
If an output of the derivation is a non-exportable key, then this key cannot be recovered outside the isolation boundary.
If an output of the derivation is compared using
psa_key_derivation_verify_bytes()
orpsa_key_derivation_verify_key()
, then the output is not visible to the caller.
Applications use the psa_key_derivation_operation_t
type to create key derivation operations. The operation object is used as follows:
Initialize a
psa_key_derivation_operation_t
object to zero or toPSA_KEY_DERIVATION_OPERATION_INIT
.Call
psa_key_derivation_setup()
to select a key derivation algorithm.Call the functions
psa_key_derivation_input_key()
orpsa_key_derivation_key_agreement()
to provide the secret inputs, andpsa_key_derivation_input_bytes()
orpsa_key_derivation_input_integer()
to provide the non-secret inputs, to the key derivation algorithm. Many key derivation algorithms take multiple inputs; thestep
parameter to these functions indicates which input is being provided. The documentation for each key derivation algorithm describes the expected inputs for that algorithm and in what order to pass them.Optionally, call
psa_key_derivation_set_capacity()
to set a limit on the amount of data that can be output from the key derivation operation.Call an output or verification function:
psa_key_derivation_output_key()
to create a derived key.psa_key_derivation_output_bytes()
to export the derived data.psa_key_derivation_verify_key()
to compare a derived key with an existing key value.psa_key_derivation_verify_bytes()
to compare derived data with a buffer.
These functions can be called multiple times to read successive output from the key derivation, until the stream is exhausted when its capacity has been reached.
Key derivation does not finish in the same way as other multi-part operations. Call
psa_key_derivation_abort()
to release the key derivation operation memory when the object is no longer required.
To recover from an error, call psa_key_derivation_abort()
to release the key derivation operation memory.
A key derivation operation cannot be rewound. Once a part of the stream has been output, it cannot be output again. This ensures that the same part of the output will not be used for different purposes.
10.6.1. Key derivation algorithms¶
PSA_ALG_HKDF
(macro)¶
Macro to build an HKDF algorithm.
#define PSA_ALG_HKDF(hash_alg) /* specification-defined value */
Parameters
hash_alg
A hash algorithm: a value of type
psa_algorithm_t
such thatPSA_ALG_IS_HASH
(
hash_alg
)
is true.
Returns
The corresponding HKDF algorithm. For example, PSA_ALG_HKDF
(
PSA_ALG_SHA_256
)
is HKDF using HMAC-SHA-256.
Unspecified if hash_alg
is not a supported hash algorithm.
Description
This is the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) specified by HMAC-based Extract-and-Expand Key Derivation Function (HKDF) [RFC5869].
This key derivation algorithm uses the following inputs:
PSA_KEY_DERIVATION_INPUT_SALT
is the salt used in the “extract” step. It is optional; if omitted, the derivation uses an empty salt.PSA_KEY_DERIVATION_INPUT_SECRET
is the secret key (input keying material) used in the “extract” step.PSA_KEY_DERIVATION_INPUT_INFO
is the info string used in the “expand” step.
If PSA_KEY_DERIVATION_INPUT_SALT
is provided, it must be before PSA_KEY_DERIVATION_INPUT_SECRET
. PSA_KEY_DERIVATION_INPUT_INFO
can be provided at any time after setup and before starting to generate output.
Warning
HKDF processes the salt as follows: first hash it with hash_alg
if the salt is longer than the block size of the hash algorithm; then pad with null bytes up to the block size. As a result, it is possible for distinct salt inputs to result in the same outputs. To ensure unique outputs, it is recommended to use a fixed length for salt values.
Each input may only be passed once.
Compatible key types
PSA_KEY_TYPE_DERIVE
(for the secret key)PSA_KEY_TYPE_RAW_DATA
(for the other inputs)PSA_ALG_HKDF_EXTRACT
(macro)¶
Macro to build an HKDF-Extract algorithm.
#define PSA_ALG_HKDF_EXTRACT(hash_alg) /* specification-defined value */
Parameters
hash_alg
A hash algorithm: a value of type
psa_algorithm_t
such thatPSA_ALG_IS_HASH
(
hash_alg
)
is true.
Returns
The corresponding HKDF-Extract algorithm. For example, PSA_ALG_HKDF_EXTRACT
(
PSA_ALG_SHA_256
)
is HKDF-Extract using HMAC-SHA-256.
Unspecified if hash_alg
is not a supported hash algorithm.
Description
This is the Extract step of HKDF as specified by HMAC-based Extract-and-Expand Key Derivation Function (HKDF) [RFC5869] §2.2.
This key derivation algorithm uses the following inputs:
PSA_KEY_DERIVATION_INPUT_SALT
is the salt.PSA_KEY_DERIVATION_INPUT_SECRET
is the input keying material used in the “extract” step.
The inputs are mandatory and must be passed in the order above. Each input may only be passed once.
Warning
HKDF-Extract is not meant to be used on its own. PSA_ALG_HKDF
should be used instead if possible. PSA_ALG_HKDF_EXTRACT
is provided as a separate algorithm for the sake of protocols that use it as a building block. It may also be a slight performance optimization in applications that use HKDF with the same salt and key but many different info strings.
Warning
HKDF processes the salt as follows: first hash it with hash_alg
if the salt is longer than the block size of the hash algorithm; then pad with null bytes up to the block size. As a result, it is possible for distinct salt inputs to result in the same outputs. To ensure unique outputs, it is recommended to use a fixed length for salt values.
Compatible key types
PSA_KEY_TYPE_DERIVE
(for the input keying material)PSA_KEY_TYPE_RAW_DATA
(for the salt)PSA_ALG_HKDF_EXPAND
(macro)¶
Macro to build an HKDF-Expand algorithm.
#define PSA_ALG_HKDF_EXPAND(hash_alg) /* specification-defined value */
Parameters
hash_alg
A hash algorithm: a value of type
psa_algorithm_t
such thatPSA_ALG_IS_HASH
(
hash_alg
)
is true.
Returns
The corresponding HKDF-Expand algorithm. For example, PSA_ALG_HKDF_EXPAND
(
PSA_ALG_SHA_256
)
is HKDF-Expand using HMAC-SHA-256.
Unspecified if hash_alg
is not a supported hash algorithm.
Description
This is the Expand step of HKDF as specified by HMAC-based Extract-and-Expand Key Derivation Function (HKDF) [RFC5869] §2.3.
This key derivation algorithm uses the following inputs:
PSA_KEY_DERIVATION_INPUT_SECRET
is the pseudorandom key (PRK).PSA_KEY_DERIVATION_INPUT_INFO
is the info string.
The inputs are mandatory and must be passed in the order above. Each input may only be passed once.
Warning
HKDF-Expand is not meant to be used on its own. PSA_ALG_HKDF
should be used instead if possible. PSA_ALG_HKDF_EXPAND
is provided as a separate algorithm for the sake of protocols that use it as a building block. It may also be a slight performance optimization in applications that use HKDF with the same salt and key but many different info strings.
Compatible key types
PSA_KEY_TYPE_DERIVE
(for the pseudorandom key)PSA_KEY_TYPE_RAW_DATA
(for the info string)PSA_ALG_SP800_108_COUNTER_HMAC
(macro)¶
Macro to build a NIST SP 800-108 conformant, counter-mode KDF algorithm based on HMAC.
#define PSA_ALG_SP800_108_COUNTER_HMAC(hash_alg) \ /* specification-defined value */
Parameters
hash_alg
A hash algorithm: a value of type
psa_algorithm_t
such thatPSA_ALG_IS_HASH
(
hash_alg
)
is true.
Returns
The corresponding key derivation algorithm. For example, the counter-mode KDF using HMAC-SHA-256 is PSA_ALG_SP800_108_COUNTER_HMAC
(
PSA_ALG_SHA_256
)
.
Unspecified if hash_alg
is not a supported hash algorithm.
Description
This is an HMAC-based, counter mode key derivation function, using the construction recommended by NIST Special Publication 800-108r1: Recommendation for Key Derivation Using Pseudorandom Functions [SP800-108], §4.1.
This key derivation algorithm uses the following inputs:
PSA_KEY_DERIVATION_INPUT_SECRET
is the secret input keying material, \(K_{IN}\).PSA_KEY_DERIVATION_INPUT_LABEL
is the \(Label\). It is optional; if omitted, \(Label\) is a zero-length string. If provided, it must not contain any null bytes.PSA_KEY_DERIVATION_INPUT_CONTEXT
is the \(Context\). It is optional; if omitted, \(Context\) is a zero-length string.
Each input can only be passed once. Inputs must be passed in the order above.
This algorithm uses the output length as part of the derivation process. In the derivation this value is \(L\), the required output size in bits. After setup, the initial capacity of the key derivation operation is \(2^{29}-1\) bytes (0x1fffffff
). The capacity can be set to a lower value by calling psa_key_derivation_set_capacity()
.
When the first output is requested, the value of \(L\) is calculated as \(L=8*cap\), where \(cap\) is the value of psa_key_derivation_get_capacity()
. Subsequent calls to psa_key_derivation_set_capacity()
are not permitted for this algorithm.
The derivation is constructed as described in [SP800-108] §4.1, with the iteration counter \(i\) and output length \(L\) encoded as big-endian, 32-bit values. The resulting output stream \(K_1\ ||\ K_2\ ||\ K_3\ ||\ ...\) is computed as:
Where \([x]_n\) is the big-endian, \(n\)-byte encoding of the integer \(x\).
Compatible key types
PSA_KEY_TYPE_HMAC
(for the secret key)PSA_KEY_TYPE_DERIVE
(for the secret key)PSA_KEY_TYPE_RAW_DATA
(for the other inputs)PSA_ALG_SP800_108_COUNTER_CMAC
(macro)¶
Macro to build a NIST SP 800-108 conformant, counter-mode KDF algorithm based on CMAC.
#define PSA_ALG_SP800_108_COUNTER_CMAC ((psa_algorithm_t)0x08000800)
This is a CMAC-based, counter mode key derivation function, using the construction recommended by NIST Special Publication 800-108r1: Recommendation for Key Derivation Using Pseudorandom Functions [SP800-108], §4.1.
This key derivation algorithm uses the following inputs:
PSA_KEY_DERIVATION_INPUT_SECRET
is the secret input keying material, \(K_{IN}\). This must be a block-cipher key that is compatible with the CMAC algorithm, and must be input usingpsa_key_derivation_input_key()
. See alsoPSA_ALG_CMAC
.PSA_KEY_DERIVATION_INPUT_LABEL
is the \(Label\). It is optional; if omitted, \(Label\) is a zero-length string. If provided, it must not contain any null bytes.PSA_KEY_DERIVATION_INPUT_CONTEXT
is the \(Context\). It is optional; if omitted, \(Context\) is a zero-length string.
Each input can only be passed once. Inputs must be passed in the order above.
This algorithm uses the output length as part of the derivation process. In the derivation this value is \(L\), the required output size in bits. After setup, the initial capacity of the key derivation operation is \(2^{29}-1\) bytes (0x1fffffff
). The capacity can be set to a lower value by calling psa_key_derivation_set_capacity()
.
When the first output is requested, the value of \(L\) is calculated as \(L=8*cap\), where \(cap\) is the value of psa_key_derivation_get_capacity()
. Subsequent calls to psa_key_derivation_set_capacity()
are not permitted for this algorithm.
The derivation is constructed as described in [SP800-108] §4.1, with the following details:
The iteration counter \(i\) and output length \(L\) are encoded as big-endian, 32-bit values.
The mitigation to make the CMAC-based construction robust is implemented.
The resulting output stream \(K_1\ ||\ K_2\ ||\ K_3\ ||\ ...\) is computed as:
Where \([x]_n\) is the big-endian, \(n\)-byte encoding of the integer \(x\).
Compatible key types
PSA_KEY_TYPE_AES
(for the secret key)PSA_KEY_TYPE_ARIA
(for the secret key)PSA_KEY_TYPE_CAMELLIA
(for the secret key)PSA_KEY_TYPE_SM4
(for the secret key)PSA_KEY_TYPE_RAW_DATA
(for the other inputs)PSA_ALG_TLS12_PRF
(macro)¶
Macro to build a TLS-1.2 PRF algorithm.
#define PSA_ALG_TLS12_PRF(hash_alg) /* specification-defined value */
Parameters
hash_alg
A hash algorithm: a value of type
psa_algorithm_t
such thatPSA_ALG_IS_HASH
(
hash_alg
)
is true.
Returns
The corresponding TLS-1.2 PRF algorithm. For example, PSA_ALG_TLS12_PRF
(
PSA_ALG_SHA_256
)
represents the TLS 1.2 PRF using HMAC-SHA-256.
Unspecified if hash_alg
is not a supported hash algorithm.
Description
TLS 1.2 uses a custom pseudorandom function (PRF) for key schedule, specified in The Transport Layer Security (TLS) Protocol Version 1.2 [RFC5246] §5. It is based on HMAC and can be used with either SHA-256 or SHA-384.
This key derivation algorithm uses the following inputs, which must be passed in the order given here:
PSA_KEY_DERIVATION_INPUT_SEED
is the seed.PSA_KEY_DERIVATION_INPUT_SECRET
is the secret key.PSA_KEY_DERIVATION_INPUT_LABEL
is the label.
Each input may only be passed once.
For the application to TLS-1.2 key expansion:
The seed is the concatenation of
ServerHello.Random + ClientHello.Random
.The label is
"key expansion"
.
Compatible key types
PSA_KEY_TYPE_DERIVE
(for the secret key)PSA_KEY_TYPE_RAW_DATA
(for the other inputs)PSA_ALG_TLS12_PSK_TO_MS
(macro)¶
Macro to build a TLS-1.2 PSK-to-MasterSecret algorithm.
#define PSA_ALG_TLS12_PSK_TO_MS(hash_alg) /* specification-defined value */
Parameters
hash_alg
A hash algorithm: a value of type
psa_algorithm_t
such thatPSA_ALG_IS_HASH
(
hash_alg
)
is true.
Returns
The corresponding TLS-1.2 PSK to MS algorithm. For example, PSA_ALG_TLS12_PSK_TO_MS
(
PSA_ALG_SHA_256
)
represents the TLS-1.2 PSK to MasterSecret derivation PRF using HMAC-SHA-256.
Unspecified if hash_alg
is not a supported hash algorithm.
Description
In a pure-PSK handshake in TLS 1.2, the master secret (MS) is derived from the pre-shared key (PSK) through the application of padding (Pre-Shared Key Ciphersuites for Transport Layer Security (TLS) [RFC4279] §2) and the TLS-1.2 PRF (The Transport Layer Security (TLS) Protocol Version 1.2 [RFC5246] §5). The latter is based on HMAC and can be used with either SHA-256 or SHA-384.
This key derivation algorithm uses the following inputs, which must be passed in the order given here:
PSA_KEY_DERIVATION_INPUT_SEED
is the seed.PSA_KEY_DERIVATION_INPUT_OTHER_SECRET
is the other secret for the computation of the premaster secret. This input is optional; if omitted, it defaults to a string of null bytes with the same length as the secret (PSK) input.PSA_KEY_DERIVATION_INPUT_SECRET
is the PSK. The PSK must not be larger thanPSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE
.PSA_KEY_DERIVATION_INPUT_LABEL
is the label.
Each input may only be passed once.
For the application to TLS-1.2:
The seed, which is forwarded to the TLS-1.2 PRF, is the concatenation of the
ClientHello.Random + ServerHello.Random
.The other secret depends on the key exchange specified in the cipher suite:
For a plain PSK cipher suite ([RFC4279] §2), omit
PSA_KEY_DERIVATION_INPUT_OTHER_SECRET
.For a DHE-PSK ([RFC4279] §3) or ECDHE-PSK cipher suite (ECDHE_PSK Cipher Suites for Transport Layer Security (TLS) [RFC5489] §2), the other secret should be the output of the
PSA_ALG_FFDH
orPSA_ALG_ECDH
key agreement performed with the peer. The recommended way to pass this input is to use a key derivation algorithm constructed asPSA_ALG_KEY_AGREEMENT
(
ka_alg
,
PSA_ALG_TLS12_PSK_TO_MS
(
hash_alg
))
and to callpsa_key_derivation_key_agreement()
. Alternatively, this input may be an output ofpsa_key_agreement()
passed withpsa_key_derivation_input_key()
, or an equivalent input passed withpsa_key_derivation_input_bytes()
orpsa_key_derivation_input_key()
.For a RSA-PSK cipher suite ([RFC4279] §4), the other secret should be the 48-byte client challenge (the
PreMasterSecret
of [RFC5246] §7.4.7.1) concatenation of the TLS version and a 46-byte random string chosen by the client. On the server, this is typically an output ofpsa_asymmetric_decrypt()
usingPSA_ALG_RSA_PKCS1V15_CRYPT
, passed to the key derivation operation withpsa_key_derivation_input_bytes()
.
The label is
"master secret"
or"extended master secret"
.
Compatible key types
PSA_KEY_TYPE_DERIVE
(for the PSK)PSA_KEY_TYPE_RAW_DATA
(for the other inputs)PSA_ALG_TLS12_ECJPAKE_TO_PMS
(macro)¶
The TLS 1.2 ECJPAKE-to-PMS key-derivation algorithm.
#define PSA_ALG_TLS12_ECJPAKE_TO_PMS ((psa_algorithm_t)0x08000609)
This KDF is defined in Elliptic Curve J-PAKE Cipher Suites for Transport Layer Security (TLS) [TLS-ECJPAKE] §8.7. This specifies the use of a KDF to derive the TLS 1.2 session secrets from the output of EC J-PAKE over the secp256r1 Elliptic curve (the 256-bit curve in PSA_ECC_FAMILY_SECP_R1
). EC J-PAKE operations can be performed using the extension to the Crypto API defined in PSA Certified Crypto API 1.2 PAKE Extension [PSA-PAKE].
This KDF takes the shared secret \(K\) (an uncompressed EC point in case of EC J-PAKE) and calculates \(\text{SHA256}(K.x)\).
This function takes a single input:
PSA_KEY_DERIVATION_INPUT_SECRET
is the shared secret \(K\) from EC J-PAKE. For secp256r1, the input is exactly 65 bytes.The shared secret can be obtained by calling
psa_pake_get_shared_key
()
on a PAKE operation that is performing the EC J-PAKE algorithm. These are defined in the PAKE extension API, see [PSA-PAKE].
The 32-byte output has to be read in a single call to either psa_key_derivation_output_bytes()
or psa_key_derivation_output_key()
. The size of the output is defined as PSA_TLS12_ECJPAKE_TO_PMS_OUTPUT_SIZE
.
Compatible key types
PSA_KEY_TYPE_DERIVE
— the secret key is extracted from a PAKE operation by calling psa_pake_get_shared_key
()
.PSA_ALG_PBKDF2_HMAC
(macro)¶
Macro to build a PBKDF2-HMAC password-hashing or key-stretching algorithm.
#define PSA_ALG_PBKDF2_HMAC(hash_alg) /* specification-defined value */
Parameters
hash_alg
A hash algorithm: a value of type
psa_algorithm_t
such thatPSA_ALG_IS_HASH
(
hash_alg
)
is true.
Returns
The corresponding PBKDF2-HMAC-XXX algorithm. For example, PSA_ALG_PBKDF2_HMAC
(
PSA_ALG_SHA_256
)
is the algorithm identifier for PBKDF2-HMAC-SHA-256.
Unspecified if hash_alg
is not a supported hash algorithm.
Description
PBKDF2 is specified by PKCS #5: Password-Based Cryptography Specification Version 2.1 [RFC8018] §5.2. This macro constructs a PBKDF2 algorithm that uses a pseudo-random function based on HMAC with the specified hash.
This key derivation algorithm uses the following inputs, which must be provided in the following order:
PSA_KEY_DERIVATION_INPUT_COST
is the iteration count. This input step must be used exactly once.PSA_KEY_DERIVATION_INPUT_SALT
is the salt. This input step must be used one or more times; if used several times, the inputs will be concatenated. This can be used to build the final salt from multiple sources, both public and secret (also known as pepper).PSA_KEY_DERIVATION_INPUT_PASSWORD
is the password to be hashed. This input step must be used exactly once.
Compatible key types
PSA_KEY_TYPE_DERIVE
(for password input)PSA_KEY_TYPE_PASSWORD
(for password input)PSA_KEY_TYPE_PEPPER
(for salt input)PSA_KEY_TYPE_RAW_DATA
(for salt input)PSA_KEY_TYPE_PASSWORD_HASH
(for key verification)PSA_ALG_PBKDF2_AES_CMAC_PRF_128
(macro)¶
The PBKDF2-AES-CMAC-PRF-128 password-hashing or key-stretching algorithm.
#define PSA_ALG_PBKDF2_AES_CMAC_PRF_128 ((psa_algorithm_t)0x08800200)
PBKDF2 is specified by PKCS #5: Password-Based Cryptography Specification Version 2.1 [RFC8018] §5.2. This algorithm specifies the PBKDF2 algorithm using the AES-CMAC-PRF-128 pseudo-random function specified by [RFC4615]
This key derivation algorithm uses the same inputs as PSA_ALG_PBKDF2_HMAC()
with the same constraints.
Compatible key types
PSA_KEY_TYPE_DERIVE
(for password input)PSA_KEY_TYPE_PASSWORD
(for password input)PSA_KEY_TYPE_PEPPER
(for salt input)PSA_KEY_TYPE_RAW_DATA
(for salt input)PSA_KEY_TYPE_PASSWORD_HASH
(for key verification)10.6.2. Input step types¶
psa_key_derivation_step_t
(typedef)¶
Encoding of the step of a key derivation.
typedef uint16_t psa_key_derivation_step_t;
Implementation note
It is recommended that the value 0
is not allocated as a valid key derivation step.
PSA_KEY_DERIVATION_INPUT_SECRET
(macro)¶
A high-entropy secret input for key derivation.
#define PSA_KEY_DERIVATION_INPUT_SECRET /* implementation-defined value */
This is typically a key of type PSA_KEY_TYPE_DERIVE
passed to psa_key_derivation_input_key()
, or the shared secret resulting from a key agreement obtained via psa_key_derivation_key_agreement()
.
For some algorithms, a specific type of key is required. For example, see PSA_ALG_SP800_108_COUNTER_CMAC
.
The secret can also be a direct input passed to psa_key_derivation_input_bytes()
. In this case, the derivation operation cannot be used to derive keys: the operation will not permit a call to psa_key_derivation_output_key()
.
PSA_KEY_DERIVATION_INPUT_OTHER_SECRET
(macro)¶
A high-entropy additional secret input for key derivation.
#define PSA_KEY_DERIVATION_INPUT_OTHER_SECRET \ /* implementation-defined value */
This is typically the shared secret resulting from a key agreement obtained via psa_key_derivation_key_agreement()
. It may alternatively be a key of type PSA_KEY_TYPE_DERIVE
passed to psa_key_derivation_input_key()
, or a direct input passed to psa_key_derivation_input_bytes()
.
PSA_KEY_DERIVATION_INPUT_PASSWORD
(macro)¶
A low-entropy secret input for password hashing or key stretching.
#define PSA_KEY_DERIVATION_INPUT_PASSWORD /* implementation-defined value */
This is usually a key of type PSA_KEY_TYPE_PASSWORD
passed to psa_key_derivation_input_key()
or a direct input passed to psa_key_derivation_input_bytes()
that is a password or passphrase. It can also be high-entropy secret, for example, a key of type PSA_KEY_TYPE_DERIVE
, or the shared secret resulting from a key agreement.
If the secret is a direct input, the derivation operation cannot be used to derive keys: the operation will not permit a call to psa_key_derivation_output_key()
.
PSA_KEY_DERIVATION_INPUT_LABEL
(macro)¶
A label for key derivation.
#define PSA_KEY_DERIVATION_INPUT_LABEL /* implementation-defined value */
This is typically a direct input. It can also be a key of type PSA_KEY_TYPE_RAW_DATA
.
PSA_KEY_DERIVATION_INPUT_CONTEXT
(macro)¶
A context for key derivation.
#define PSA_KEY_DERIVATION_INPUT_CONTEXT /* implementation-defined value */
This is typically a direct input. It can also be a key of type PSA_KEY_TYPE_RAW_DATA
.
PSA_KEY_DERIVATION_INPUT_SALT
(macro)¶
A salt for key derivation.
#define PSA_KEY_DERIVATION_INPUT_SALT /* implementation-defined value */
This is typically a direct input. It can also be a key of type PSA_KEY_TYPE_RAW_DATA
or PSA_KEY_TYPE_PEPPER
.
PSA_KEY_DERIVATION_INPUT_INFO
(macro)¶
An information string for key derivation.
#define PSA_KEY_DERIVATION_INPUT_INFO /* implementation-defined value */
This is typically a direct input. It can also be a key of type PSA_KEY_TYPE_RAW_DATA
.
PSA_KEY_DERIVATION_INPUT_SEED
(macro)¶
A seed for key derivation.
#define PSA_KEY_DERIVATION_INPUT_SEED /* implementation-defined value */
This is typically a direct input. It can also be a key of type PSA_KEY_TYPE_RAW_DATA
.
PSA_KEY_DERIVATION_INPUT_COST
(macro)¶
A cost parameter for password hashing or key stretching.
#define PSA_KEY_DERIVATION_INPUT_COST /* implementation-defined value */
This must be a direct input, passed to psa_key_derivation_input_integer()
.
10.6.3. Key derivation functions¶
psa_key_derivation_operation_t
(typedef)¶
The type of the state object for key derivation operations.
typedef /* implementation-defined type */ psa_key_derivation_operation_t;
Before calling any function on a key derivation operation object, the application must initialize it by any of the following means:
Set the object to all-bits-zero, for example:
psa_key_derivation_operation_t operation; memset(&operation, 0, sizeof(operation));
Initialize the object to logical zero values by declaring the object as static or global without an explicit initializer, for example:
static psa_key_derivation_operation_t operation;
Initialize the object to the initializer
PSA_KEY_DERIVATION_OPERATION_INIT
, for example:psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
Assign the result of the function
psa_key_derivation_operation_init()
to the object, for example:psa_key_derivation_operation_t operation; operation = psa_key_derivation_operation_init();
This is an implementation-defined type. Applications that make assumptions about the content of this object will result in implementation-specific behavior, and are non-portable.
PSA_KEY_DERIVATION_OPERATION_INIT
(macro)¶
This macro returns a suitable initializer for a key derivation operation object of type psa_key_derivation_operation_t
.
#define PSA_KEY_DERIVATION_OPERATION_INIT /* implementation-defined value */
psa_key_derivation_operation_init
(function)¶
Return an initial value for a key derivation operation object.
psa_key_derivation_operation_t psa_key_derivation_operation_init(void);
Returns: psa_key_derivation_operation_t
psa_key_derivation_setup
(function)¶
Set up a key derivation operation.
psa_status_t psa_key_derivation_setup(psa_key_derivation_operation_t * operation, psa_algorithm_t alg);
Parameters
operation
The key derivation operation object to set up. It must have been initialized but not set up yet.
alg
The algorithm to compute. This must be one of the following:
A key derivation algorithm: a value of type
psa_algorithm_t
such thatPSA_ALG_IS_KEY_DERIVATION
(
alg
)
is true.A key agreement and derivation algorithm: a value of type
psa_algorithm_t
such thatPSA_ALG_IS_KEY_AGREEMENT
(
alg
)
is true andPSA_ALG_IS_RAW_KEY_AGREEMENT
(
alg
)
is false.
Returns: psa_status_t
PSA_SUCCESS
Success. The operation is now active.
PSA_ERROR_BAD_STATE
The following conditions can result in this error:
The operation state is not valid: it must be inactive.
The library requires initializing by a call to
psa_crypto_init()
.
PSA_ERROR_INVALID_ARGUMENT
alg
is neither a key derivation algorithm, nor a key agreement and derivation algorithm.PSA_ERROR_NOT_SUPPORTED
alg
is not supported or is not a key derivation algorithm, or a key agreement and derivation algorithm.PSA_ERROR_INSUFFICIENT_MEMORY
PSA_ERROR_COMMUNICATION_FAILURE
PSA_ERROR_CORRUPTION_DETECTED
Description
A key derivation algorithm takes some inputs and uses them to generate a byte stream in a deterministic way. This byte stream can be used to produce keys and other cryptographic material.
A key agreement and derivation algorithm uses a key agreement protocol to provide a shared secret which is used for the key derivation. See psa_key_derivation_key_agreement()
.
The sequence of operations to derive a key is as follows:
Allocate a key derivation operation object which will be passed to all the functions listed here.
Initialize the operation object with one of the methods described in the documentation for
psa_key_derivation_operation_t
, e.g.PSA_KEY_DERIVATION_OPERATION_INIT
.Call
psa_key_derivation_setup()
to specify the algorithm.Provide the inputs for the key derivation by calling
psa_key_derivation_input_bytes()
orpsa_key_derivation_input_key()
as appropriate. Which inputs are needed, in what order, whether keys are permitted, and what type of keys depends on the algorithm.Optionally set the operation’s maximum capacity with
psa_key_derivation_set_capacity()
. This can be done before, in the middle of, or after providing inputs. For some algorithms, this step is mandatory because the output depends on the maximum capacity.To derive a key, call
psa_key_derivation_output_key()
. To derive a byte string for a different purpose, callpsa_key_derivation_output_bytes()
. Successive calls to these functions use successive output bytes calculated by the key derivation algorithm.Clean up the key derivation operation object with
psa_key_derivation_abort()
.
After a successful call to psa_key_derivation_setup()
, the operation is active, and the application must eventually terminate the operation with a call to psa_key_derivation_abort()
.
If psa_key_derivation_setup()
returns an error, the operation object is unchanged. If a subsequent function call with an active operation returns an error, the operation enters an error state.
To abandon an active operation, or reset an operation in an error state, call psa_key_derivation_abort()
.
psa_key_derivation_get_capacity
(function)¶
Retrieve the current capacity of a key derivation operation.
psa_status_t psa_key_derivation_get_capacity(const psa_key_derivation_operation_t * operation, size_t * capacity);
Parameters
operation
The operation to query.
capacity
On success, the capacity of the operation.
Returns: psa_status_t
PSA_SUCCESS
Success. The maximum number of bytes that this key derivation can return is
(*capacity)
.PSA_ERROR_BAD_STATE
The following conditions can result in this error:
The operation state is not valid: it must be active.
The library requires initializing by a call to
psa_crypto_init()
.
PSA_ERROR_COMMUNICATION_FAILURE
PSA_ERROR_CORRUPTION_DETECTED
Description
The capacity of a key derivation is the maximum number of bytes that it can return. Reading \(N\) bytes of output from a key derivation operation reduces its capacity by at least \(N\). The capacity can be reduced by more than \(N\) in the following situations:
Calling
psa_key_derivation_output_key()
can reduce the capacity by more than the key size, depending on the type of key being generated. Seepsa_key_derivation_output_key()
for details of the key derivation process.When the
psa_key_derivation_operation_t
object is operating as a deterministic random bit generator (DBRG), which reduces capacity in whole blocks, even when less than a block is read.
psa_key_derivation_set_capacity
(function)¶
Set the maximum capacity of a key derivation operation.
psa_status_t psa_key_derivation_set_capacity(psa_key_derivation_operation_t * operation, size_t capacity);
Parameters
operation
The key derivation operation object to modify.
capacity
The new capacity of the operation. It must be less or equal to the operation’s current capacity.
Returns: psa_status_t
PSA_SUCCESS
Success.
PSA_ERROR_BAD_STATE
The following conditions can result in this error:
The operation state is not valid: it must be active.
The library requires initializing by a call to
psa_crypto_init()
.
PSA_ERROR_INVALID_ARGUMENT
capacity
is larger than the operation’s current capacity. In this case, the operation object remains valid and its capacity remains unchanged.PSA_ERROR_COMMUNICATION_FAILURE
PSA_ERROR_CORRUPTION_DETECTED
Description
The capacity of a key derivation operation is the maximum number of bytes that the key derivation operation can return from this point onwards.
Note
For some algorithms, the capacity value can affect the output of the key derivation. For example, see PSA_ALG_SP800_108_COUNTER_HMAC
.
psa_key_derivation_input_bytes
(function)¶
Provide an input for key derivation or key agreement.
psa_status_t psa_key_derivation_input_bytes(psa_key_derivation_operation_t * operation, psa_key_derivation_step_t step, const uint8_t * data, size_t data_length);
Parameters
operation
The key derivation operation object to use. It must have been set up with
psa_key_derivation_setup()
and must not have produced any output yet.step
Which step the input data is for.
data
Input data to use.
data_length
Size of the
data
buffer in bytes.
Returns: psa_status_t
PSA_SUCCESS
Success.
PSA_ERROR_BAD_STATE
The following conditions can result in this error:
The operation state is not valid for this input
step
. This can happen if the application provides a step out of order or repeats a step that may not be repeated.The library requires initializing by a call to
psa_crypto_init()
.
PSA_ERROR_INVALID_ARGUMENT
The following conditions can result in this error:
step
is not compatible with the operation’s algorithm.step
does not permit direct inputs.data_length
is too small or too large forstep
in this particular algorithm.
PSA_ERROR_NOT_SUPPORTED
The following conditions can result in this error:
step
is not supported with the operation’s algorithm.data_length
is is not supported forstep
in this particular algorithm.
PSA_ERROR_INSUFFICIENT_MEMORY
PSA_ERROR_COMMUNICATION_FAILURE
PSA_ERROR_CORRUPTION_DETECTED
PSA_ERROR_STORAGE_FAILURE
PSA_ERROR_DATA_CORRUPT
PSA_ERROR_DATA_INVALID
Description
Which inputs are required and in what order depends on the algorithm. Refer to the documentation of each key derivation or key agreement algorithm for information.
This function passes direct inputs, which is usually correct for non-secret inputs. To pass a secret input, which is normally in a key object, call psa_key_derivation_input_key()
instead of this function. Refer to the documentation of individual step types (PSA_KEY_DERIVATION_INPUT_xxx
values of type psa_key_derivation_step_t
) for more information.
If this function returns an error status, the operation enters an error state and must be aborted by calling psa_key_derivation_abort()
.
psa_key_derivation_input_integer
(function)¶
Provide a numeric input for key derivation or key agreement.
psa_status_t psa_key_derivation_input_integer(psa_key_derivation_operation_t * operation, psa_key_derivation_step_t step, uint64_t value);
Parameters
operation
The key derivation operation object to use. It must have been set up with
psa_key_derivation_setup()
and must not have produced any output yet.step
Which step the input data is for.
value
The value of the numeric input.
Returns: psa_status_t
PSA_SUCCESS
Success.
PSA_ERROR_BAD_STATE
The following conditions can result in this error:
The operation state is not valid for this input
step
. This can happen if the application provides a step out of order or repeats a step that may not be repeated.The library requires initializing by a call to
psa_crypto_init()
.
PSA_ERROR_INVALID_ARGUMENT
The following conditions can result in this error:
step
is not compatible with the operation’s algorithm.step
does not permit numerical inputs.value
is not valid forstep
in the operation’s algorithm.
PSA_ERROR_NOT_SUPPORTED
The following conditions can result in this error:
step
is not supported with the operation’s algorithm.value
is not supported forstep
in the operation’s algorithm.
PSA_ERROR_INSUFFICIENT_MEMORY
PSA_ERROR_COMMUNICATION_FAILURE
PSA_ERROR_CORRUPTION_DETECTED
PSA_ERROR_STORAGE_FAILURE
PSA_ERROR_DATA_CORRUPT
PSA_ERROR_DATA_INVALID
Description
Which inputs are required and in what order depends on the algorithm. However, when an algorithm requires a particular order, numeric inputs usually come first as they tend to be configuration parameters. Refer to the documentation of each key derivation or key agreement algorithm for information.
This function is used for inputs which are fixed-size non-negative integers.
If this function returns an error status, the operation enters an error state and must be aborted by calling psa_key_derivation_abort()
.
psa_key_derivation_input_key
(function)¶
Provide an input for key derivation in the form of a key.
psa_status_t psa_key_derivation_input_key(psa_key_derivation_operation_t * operation, psa_key_derivation_step_t step, psa_key_id_t key);
Parameters
operation
The key derivation operation object to use. It must have been set up with
psa_key_derivation_setup()
and must not have produced any output yet.step
Which step the input data is for.
key
Identifier of the key. The key must have an appropriate type for
step
, it must permit the usagePSA_KEY_USAGE_DERIVE
orPSA_KEY_USAGE_VERIFY_DERIVATION
(see note), and it must permit the algorithm used by the operation.
Returns: psa_status_t
PSA_SUCCESS
Success.
PSA_ERROR_BAD_STATE
The following conditions can result in this error:
The operation state is not valid for this input
step
. This can happen if the application provides a step out of order or repeats a step that may not be repeated.The library requires initializing by a call to
psa_crypto_init()
.
PSA_ERROR_INVALID_HANDLE
key
is not a valid key identifier.PSA_ERROR_NOT_PERMITTED
The key has neither the
PSA_KEY_USAGE_DERIVE
nor thePSA_KEY_USAGE_VERIFY_DERIVATION
usage flag, or it does not permit the operation’s algorithm.PSA_ERROR_INVALID_ARGUMENT
The following conditions can result in this error:
step
is not compatible with the operation’s algorithm.step
does not permit key inputs of the given type, or does not permit key inputs at all.
PSA_ERROR_NOT_SUPPORTED
The following conditions can result in this error:
step
is not supported with the operation’s algorithm.Key inputs of the given type are not supported for
step
in the operation’s algorithm.
PSA_ERROR_INSUFFICIENT_MEMORY
PSA_ERROR_COMMUNICATION_FAILURE
PSA_ERROR_CORRUPTION_DETECTED
PSA_ERROR_STORAGE_FAILURE
PSA_ERROR_DATA_CORRUPT
PSA_ERROR_DATA_INVALID
Description
Which inputs are required and in what order depends on the algorithm. Refer to the documentation of each key derivation or key agreement algorithm for information.
This function obtains input from a key object, which is usually correct for secret inputs or for non-secret personalization strings kept in the key store. To pass a non-secret parameter which is not in the key store, call psa_key_derivation_input_bytes()
instead of this function. Refer to the documentation of individual step types (PSA_KEY_DERIVATION_INPUT_xxx
values of type psa_key_derivation_step_t
) for more information.
Note
Once all inputs steps are completed, the following operations are permitted:
psa_key_derivation_output_bytes()
— if each input was either a direct input or a key with usage flagPSA_KEY_USAGE_DERIVE
.psa_key_derivation_output_key()
— if the input for stepPSA_KEY_DERIVATION_INPUT_SECRET
orPSA_KEY_DERIVATION_INPUT_PASSWORD
was a key with usage flagPSA_KEY_USAGE_DERIVE
, and every other input was either a direct input or a key with usage flagPSA_KEY_USAGE_DERIVE
.psa_key_derivation_verify_bytes()
— if each input was either a direct input, a key with usage flagPSA_KEY_USAGE_DERIVE
, or a key with usage flagPSA_KEY_USAGE_VERIFY_DERIVATION
.psa_key_derivation_verify_key()
— under the same conditions aspsa_key_derivation_verify_bytes()
.
If this function returns an error status, the operation enters an error state and must be aborted by calling psa_key_derivation_abort()
.
psa_key_derivation_output_bytes
(function)¶
Read some data from a key derivation operation.
psa_status_t psa_key_derivation_output_bytes(psa_key_derivation_operation_t * operation, uint8_t * output, size_t output_length);
Parameters
operation
The key derivation operation object to read from.
output
Buffer where the output will be written.
output_length
Number of bytes to output.
Returns: psa_status_t
PSA_SUCCESS
Success. The first
output_length
bytes ofoutput
contain the derived data.PSA_ERROR_BAD_STATE
The following conditions can result in this error:
The operation state is not valid: it must be active, with all required input steps complete.
The library requires initializing by a call to
psa_crypto_init()
.
PSA_ERROR_NOT_PERMITTED
One of the inputs was a key whose policy did not permit
PSA_KEY_USAGE_DERIVE
.PSA_ERROR_INSUFFICIENT_DATA
The operation’s capacity was less than
output_length
bytes. In this case, the following occurs:No output is written to the output buffer.
The operation’s capacity is set to zero.
PSA_ERROR_INSUFFICIENT_MEMORY
PSA_ERROR_COMMUNICATION_FAILURE
PSA_ERROR_CORRUPTION_DETECTED
PSA_ERROR_STORAGE_FAILURE
PSA_ERROR_DATA_CORRUPT
PSA_ERROR_DATA_INVALID
Description
This function calculates output bytes from a key derivation algorithm and returns those bytes. If the key derivation’s output is viewed as a stream of bytes, this function consumes the requested number of bytes from the stream and returns them to the caller. The operation’s capacity decreases by the number of bytes read.
A request to extract more data than the remaining capacity — output_length
>
psa_key_derivation_get_capacity
()
— fails with PSA_ERROR_INSUFFICIENT_DATA
, and sets the remaining capacity to zero.
If the operation’s capacity is zero, and output_length
is zero, then it is implementation defined whether this function returns PSA_SUCCESS
or PSA_ERROR_INSUFFICIENT_DATA
.
If this function returns an error status other than PSA_ERROR_INSUFFICIENT_DATA
, the operation enters an error state and must be aborted by calling psa_key_derivation_abort()
.
psa_key_derivation_output_key
(function)¶
Derive a key from an ongoing key derivation operation.
psa_status_t psa_key_derivation_output_key(const psa_key_attributes_t * attributes, psa_key_derivation_operation_t * operation, psa_key_id_t * key);
Parameters
attributes
The attributes for the new key. This function uses the attributes as follows:
The key type is required. It cannot be an asymmetric public key.
The key size is required. It must be a valid size for the key type.
The key permitted-algorithm policy is required for keys that will be used for a cryptographic operation, see Permitted algorithms.
If the key type to be created is
PSA_KEY_TYPE_PASSWORD_HASH
, then the permitted-algorithm policy must be the same as the current operation’s algorithm.The key usage flags define what operations are permitted with the key, see Key usage flags.
The key lifetime and identifier are required for a persistent key.
Note
This is an input parameter: it is not updated with the final key attributes. The final attributes of the new key can be queried by calling
psa_get_key_attributes()
with the key’s identifier.operation
The key derivation operation object to read from.
key
On success, an identifier for the newly created key.
PSA_KEY_ID_NULL
on failure.
Returns: psa_status_t
PSA_SUCCESS
Success. If the key is persistent, the key material and the key’s metadata have been saved to persistent storage.
PSA_ERROR_BAD_STATE
The following conditions can result in this error:
The operation state is not valid: it must be active, with all required input steps complete.
The library requires initializing by a call to
psa_crypto_init()
.
PSA_ERROR_NOT_PERMITTED
The following conditions can result in this error:
The
PSA_KEY_DERIVATION_INPUT_SECRET
input step was neither provided through a key, nor the result of a key agreement.One of the inputs was a key whose policy did not permit
PSA_KEY_USAGE_DERIVE
.The implementation does not permit creating a key with the specified attributes due to some implementation-specific policy.
PSA_ERROR_ALREADY_EXISTS
This is an attempt to create a persistent key, and there is already a persistent key with the given identifier.
PSA_ERROR_INSUFFICIENT_DATA
There was not enough data to create the desired key. In this case, the following occurs:
No key is generated.
The operation’s capacity is set to zero.
PSA_ERROR_INVALID_ARGUMENT
The following conditions can result in this error:
The key type is invalid, or is an asymmetric public key type.
The key type is
PSA_KEY_TYPE_PASSWORD_HASH
, and the permitted-algorithm policy is not the same as the current operation’s algorithm.The key size is not valid for the key type. Implementations must reject an attempt to derive a key of size
0
.The key lifetime is invalid.
The key identifier is not valid for the key lifetime.
The key usage flags include invalid values.
The key’s permitted-usage algorithm is invalid.
The key attributes, as a whole, are invalid.
PSA_ERROR_NOT_SUPPORTED
The key attributes, as a whole, are not supported, either by the implementation in general or in the specified storage location.
PSA_ERROR_INSUFFICIENT_MEMORY
PSA_ERROR_INSUFFICIENT_STORAGE
PSA_ERROR_COMMUNICATION_FAILURE
PSA_ERROR_CORRUPTION_DETECTED
PSA_ERROR_STORAGE_FAILURE
PSA_ERROR_DATA_CORRUPT
PSA_ERROR_DATA_INVALID
Description
This function calculates output bytes from a key derivation algorithm and uses those bytes to generate a key deterministically. The key’s location, policy, type and size are taken from attributes
.
If the key derivation’s output is viewed as a stream of bytes, this function consumes the required number of bytes from the stream. The operation’s capacity decreases by the number of bytes used to derive the key.
A request that needs to extract more data than the remaining capacity fails with PSA_ERROR_INSUFFICIENT_DATA
, and sets the remaining capacity to zero.
If this function returns an error status other than PSA_ERROR_INSUFFICIENT_DATA
, the operation enters an error state and must be aborted by calling psa_key_derivation_abort()
.
How much output is produced and consumed from the operation, and how the key is derived, depends on the key type. Table 8 describes the required key derivation procedures for standard key derivation algorithms. Implementations can use other methods for implementation-specific algorithms.
Key type |
Key type details and derivation procedure |
---|---|
AES ARC4 ARIA CAMELLIA ChaCha20 SM4 Secrets for derivation HMAC Password hashes |
For key types for which the key is an arbitrary sequence of bytes of a given size, this function is functionally equivalent to calling |
DES |
This function generates a key using the following process:
|
2-key 3DES 3-key 3DES |
The two or three keys are generated by repeated application of the process used to generate a DES key. For example, for 3-key 3DES, if the first 8 bytes specify a weak key and the next 8 bytes do not, discard the first 8 bytes, use the next 8 bytes as the first key, and continue reading output from the operation to derive the other two keys. |
Finite-field Diffie-Hellman keys ECC keys on a Weierstrass elliptic curve |
These key types require the generation of a private key \(d \in [1, N - 1]\), where \(N\) is the boundary of the private key domain: \(N\) is the prime \(p\) for Diffie-Hellman, or the order of the curve’s base point for ECC. Let \(m\) be the bit size of \(N\), such that \(2^{m-1} \leq N < 2^m\). This function generates the private key using the following process:
This method allows compliance to NIST standards, specifically the methods titled Key-Pair Generation by Testing Candidates in the following publications:
|
ECC keys on a Montgomery elliptic curve |
This function always draws a byte string whose length is determined by the curve, and sets the mandatory bits accordingly. That is:
|
Other key types |
This includes The way in which the operation output is consumed is implementation-defined. |
For algorithms that take an input step PSA_KEY_DERIVATION_INPUT_SECRET
, the input to that step must be provided with psa_key_derivation_input_key()
. Future versions of this specification might include additional restrictions on the derived key based on the attributes and strength of the secret key.
psa_key_derivation_verify_bytes
(function)¶
Compare output data from a key derivation operation to an expected value.
psa_status_t psa_key_derivation_verify_bytes(psa_key_derivation_operation_t * operation, const uint8_t *expected_output, size_t output_length);
Parameters
operation
The key derivation operation object to read from.
expected_output
Buffer containing the expected derivation output.
output_length
Length of the expected output. This is also the number of bytes that will be read.
Returns: psa_status_t
PSA_SUCCESS
Success. The output of the key derivation operation matches
expected_output
.PSA_ERROR_BAD_STATE
The following conditions can result in this error:
The operation state is not valid: it must be active, with all required input steps complete.
The library requires initializing by a call to
psa_crypto_init()
.
PSA_ERROR_NOT_PERMITTED
One of the inputs is a key whose policy permits neither
PSA_KEY_USAGE_DERIVE
norPSA_KEY_USAGE_VERIFY_DERIVATION
.PSA_ERROR_INVALID_SIGNATURE
The output of the key derivation operation does not match the value in
expected_output
.PSA_ERROR_INSUFFICIENT_DATA
The operation’s capacity was less than
output_length
bytes. In this case, the operation’s capacity is set to zero.PSA_ERROR_INSUFFICIENT_MEMORY
PSA_ERROR_COMMUNICATION_FAILURE
PSA_ERROR_CORRUPTION_DETECTED
PSA_ERROR_STORAGE_FAILURE
PSA_ERROR_DATA_CORRUPT
PSA_ERROR_DATA_INVALID
Description
This function calculates output bytes from a key derivation algorithm and compares those bytes to an expected value.
If the key derivation’s output is viewed as a stream of bytes, this function destructively reads output_length
bytes from the stream before comparing them with expected_output
.
The operation’s capacity decreases by the number of bytes read.
A request to extract more data than the remaining capacity — output_length
>
psa_key_derivation_get_capacity
()
— fails with PSA_ERROR_INSUFFICIENT_DATA
, and sets the remaining capacity to zero.
If the operation’s capacity is zero, and output_length
is zero, then it is implementation defined whether this function returns PSA_SUCCESS
or PSA_ERROR_INSUFFICIENT_DATA
.
If this function returns an error status other than PSA_ERROR_INSUFFICIENT_DATA
, the operation enters an error state and must be aborted by calling psa_key_derivation_abort()
.
Note
A call to psa_key_derivation_verify_bytes()
is functionally equivalent to the following code:
uint8_t tmp[output_length]; psa_key_derivation_output_bytes(operation, tmp, output_length); if (memcmp(expected_output, tmp, output_length) != 0) return PSA_ERROR_INVALID_SIGNATURE;
However, calling psa_key_derivation_verify_bytes()
works even if the key’s policy does not permit output of the bytes.
Implementation note
Implementations must make the best effort to ensure that the comparison between the actual key derivation output and the expected output is performed in constant time.
psa_key_derivation_verify_key
(function)¶
Compare output data from a key derivation operation to an expected value stored in a key.
psa_status_t psa_key_derivation_verify_key(psa_key_derivation_operation_t * operation, psa_key_id_t expected);
Parameters
operation
The key derivation operation object to read from.
expected
A key of type
PSA_KEY_TYPE_PASSWORD_HASH
containing the expected output. The key must permit the usagePSA_KEY_USAGE_VERIFY_DERIVATION
, and the permitted algorithm must match the operation’s algorithm.The value of this key is typically computed by a previous call to psa_key_derivation_output_key().
Returns: psa_status_t
PSA_SUCCESS
Success. The output of the key derivation operation matches the
expected
key value.PSA_ERROR_BAD_STATE
The following conditions can result in this error:
The operation state is not valid: it must be active, with all required input steps complete.
The library requires initializing by a call to
psa_crypto_init()
.
PSA_ERROR_INVALID_HANDLE
expected
is not a valid key identifier.PSA_ERROR_NOT_PERMITTED
The following conditions can result in this error:
The
expected
key does not have thePSA_KEY_USAGE_VERIFY_DERIVATION
flag, or it does not permit the requested algorithm.One of the inputs is a key whose policy permits neither
PSA_KEY_USAGE_DERIVE
norPSA_KEY_USAGE_VERIFY_DERIVATION
.
PSA_ERROR_INVALID_SIGNATURE
The output of the key derivation operation does not match the value of the
expected
key.PSA_ERROR_INSUFFICIENT_DATA
The operation’s capacity was less than the length of the
expected
key. In this case, the operation’s capacity is set to zero.PSA_ERROR_INVALID_ARGUMENT
The key type is not
PSA_KEY_TYPE_PASSWORD_HASH
.PSA_ERROR_INSUFFICIENT_MEMORY
PSA_ERROR_COMMUNICATION_FAILURE
PSA_ERROR_CORRUPTION_DETECTED
PSA_ERROR_STORAGE_FAILURE
PSA_ERROR_DATA_CORRUPT
PSA_ERROR_DATA_INVALID
Description
This function calculates output bytes from a key derivation algorithm and compares those bytes to an expected value, provided as key of type PSA_KEY_TYPE_PASSWORD_HASH
.
If the key derivation’s output is viewed as a stream of bytes, this function destructively reads the number of bytes corresponding to the length of the expected
key from the stream before comparing them with the key value.
The operation’s capacity decreases by the number of bytes read.
A request that needs to extract more data than the remaining capacity fails with PSA_ERROR_INSUFFICIENT_DATA
, and sets the remaining capacity to zero.
If this function returns an error status other than PSA_ERROR_INSUFFICIENT_DATA
, the operation enters an error state and must be aborted by calling psa_key_derivation_abort()
.
Note
A call to psa_key_derivation_verify_key()
is functionally equivalent to exporting the expected
key and calling psa_key_derivation_verify_bytes()
on the result, except that it works when the key cannot be exported.
Implementation note
Implementations must make the best effort to ensure that the comparison between the actual key derivation output and the expected output is performed in constant time.
psa_key_derivation_abort
(function)¶
Abort a key derivation operation.
psa_status_t psa_key_derivation_abort(psa_key_derivation_operation_t * operation);
Parameters
operation
The operation to abort.
Returns: psa_status_t
PSA_SUCCESS
Success. The operation object can now be discarded or reused.
PSA_ERROR_BAD_STATE
The library requires initializing by a call to
psa_crypto_init()
.PSA_ERROR_COMMUNICATION_FAILURE
PSA_ERROR_CORRUPTION_DETECTED
Description
Aborting an operation frees all associated resources except for the operation
object itself. Once aborted, the operation object can be reused for another operation by calling psa_key_derivation_setup()
again.
This function can be called at any time after the operation object has been initialized as described in psa_key_derivation_operation_t
.
In particular, it is valid to call psa_key_derivation_abort()
twice, or to call psa_key_derivation_abort()
on an operation that has not been set up.
10.6.4. Support macros¶
PSA_ALG_IS_KEY_DERIVATION_STRETCHING
(macro)¶
Whether the specified algorithm is a key-stretching or password-hashing algorithm.
#define PSA_ALG_IS_KEY_DERIVATION_STRETCHING(alg) \ /* specification-defined value */
Parameters
alg
An algorithm identifier: a value of type
psa_algorithm_t
.
Returns
1
if alg
is a key-stretching or password-hashing algorithm, 0
otherwise.
This macro can return either 0
or 1
if alg
is not a supported key derivation algorithm algorithm identifier.
Description
A key-stretching or password-hashing algorithm is a key derivation algorithm that is suitable for use with a low-entropy secret such as a password.
Equivalently, it’s a key derivation algorithm that uses a PSA_KEY_DERIVATION_INPUT_PASSWORD
input step.
PSA_ALG_IS_HKDF
(macro)¶
Whether the specified algorithm is an HKDF algorithm (PSA_ALG_HKDF
(
hash_alg
)
).
#define PSA_ALG_IS_HKDF(alg) /* specification-defined value */
Parameters
alg
An algorithm identifier: a value of type
psa_algorithm_t
.
Returns
1
if alg
is an HKDF algorithm, 0
otherwise. This macro can return either 0
or 1
if alg
is not a supported key derivation algorithm identifier.
Description
HKDF is a family of key derivation algorithms that are based on a hash function and the HMAC construction.
PSA_ALG_IS_HKDF_EXTRACT
(macro)¶
Whether the specified algorithm is an HKDF-Extract algorithm (PSA_ALG_HKDF_EXTRACT
(
hash_alg
)
).
#define PSA_ALG_IS_HKDF_EXTRACT(alg) /* specification-defined value */
Parameters
alg
An algorithm identifier: a value of type
psa_algorithm_t
.
Returns
1
if alg
is an HKDF-Extract algorithm, 0
otherwise. This macro can return either 0
or 1
if alg
is not a supported key derivation algorithm identifier.
PSA_ALG_IS_HKDF_EXPAND
(macro)¶
Whether the specified algorithm is an HKDF-Expand algorithm (PSA_ALG_HKDF_EXPAND
(
hash_alg
)
).
#define PSA_ALG_IS_HKDF_EXPAND(alg) /* specification-defined value */
Parameters
alg
An algorithm identifier: a value of type
psa_algorithm_t
.
Returns
1
if alg
is an HKDF-Expand algorithm, 0
otherwise. This macro can return either 0
or 1
if alg
is not a supported key derivation algorithm identifier.
PSA_ALG_IS_SP800_108_COUNTER_HMAC
(macro)¶
Whether the specified algorithm is a key derivation algorithm constructed using PSA_ALG_SP800_108_COUNTER_HMAC
(
hash_alg
)
.
#define PSA_ALG_IS_SP800_108_COUNTER_HMAC(alg) \ /* specification-defined value */
Parameters
alg
An algorithm identifier: a value of type
psa_algorithm_t
.
Returns
1
if alg
is a key derivation algorithm constructed using PSA_ALG_SP800_108_COUNTER_HMAC
()
, 0
otherwise. This macro can return either 0
or 1
if alg
is not a supported key derivation algorithm identifier.
PSA_ALG_IS_TLS12_PRF
(macro)¶
Whether the specified algorithm is a TLS-1.2 PRF algorithm.
#define PSA_ALG_IS_TLS12_PRF(alg) /* specification-defined value */
Parameters
alg
An algorithm identifier: a value of type
psa_algorithm_t
.
Returns
1
if alg
is a TLS-1.2 PRF algorithm, 0
otherwise. This macro can return either 0
or 1
if alg
is not a supported key derivation algorithm identifier.
PSA_ALG_IS_TLS12_PSK_TO_MS
(macro)¶
Whether the specified algorithm is a TLS-1.2 PSK to MS algorithm.
#define PSA_ALG_IS_TLS12_PSK_TO_MS(alg) /* specification-defined value */
Parameters
alg
An algorithm identifier: a value of type
psa_algorithm_t
.
Returns
1
if alg
is a TLS-1.2 PSK to MS algorithm, 0
otherwise. This macro can return either 0
or 1
if alg
is not a supported key derivation algorithm identifier.
PSA_ALG_IS_PBKDF2_HMAC
(macro)¶
Whether the specified algorithm is a PBKDF2-HMAC algorithm.
#define PSA_ALG_IS_PBKDF2_HMAC(alg) /* specification-defined value */
Parameters
alg
An algorithm identifier: a value of type
psa_algorithm_t
.
Returns
1
if alg
is a PBKDF2-HMAC algorithm, 0
otherwise. This macro can return either 0
or 1
if alg
is not a supported key derivation algorithm identifier.
PSA_KEY_DERIVATION_UNLIMITED_CAPACITY
(macro)¶
Use the maximum possible capacity for a key derivation operation.
#define PSA_KEY_DERIVATION_UNLIMITED_CAPACITY \ /* implementation-defined value */
Use this value as the capacity argument when setting up a key derivation to specify that the operation will use the maximum possible capacity. The value of the maximum possible capacity depends on the key derivation algorithm.
PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE
(macro)¶
This macro returns the maximum supported length of the PSK for the TLS-1.2 PSK-to-MS key derivation.
#define PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE /* implementation-defined value */
This implementation-defined value specifies the maximum length for the PSK input used with a PSA_ALG_TLS12_PSK_TO_MS()
key agreement algorithm.
Quoting Pre-Shared Key Ciphersuites for Transport Layer Security (TLS) [RFC4279] §5.3:
TLS implementations supporting these cipher suites MUST support arbitrary PSK identities up to 128 octets in length, and arbitrary PSKs up to 64 octets in length. Supporting longer identities and keys is RECOMMENDED.
Therefore, it is recommended that implementations define PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE
with a value greater than or equal to 64
.
PSA_TLS12_ECJPAKE_TO_PMS_OUTPUT_SIZE
(macro)¶
The size of the output from the TLS 1.2 ECJPAKE-to-PMS key-derivation algorithm, in bytes.
#define PSA_TLS12_ECJPAKE_TO_PMS_OUTPUT_SIZE 32
This value can be used when extracting the result of a key-derivation operation that was set up with the PSA_ALG_TLS12_ECJPAKE_TO_PMS
algorithm.