From 4e8aaf98c57a4bfff387dcde2c241f2c23f9eda2 Mon Sep 17 00:00:00 2001
From: Jim Schaad <ietf@augustcellars.com>
Date: Mon, 7 Mar 2016 15:15:46 -0800
Subject: [PATCH 1/2] Changes to switch from NIST to IETF version of HKDF

These are the top level changes to switch from using the HKDF-CTR
defined in NIST SP 800-108 to the IETF RFC 5869 HKDF function.

Both salt and info have been defined as being optional as per the IETF
algorithm.
---
 spec/Overview-WebCryptoAPI.xml | 117 +++++++++++++--------------------
 1 file changed, 44 insertions(+), 73 deletions(-)

diff --git a/spec/Overview-WebCryptoAPI.xml b/spec/Overview-WebCryptoAPI.xml
index 3bda45b..e960645 100644
--- a/spec/Overview-WebCryptoAPI.xml
+++ b/spec/Overview-WebCryptoAPI.xml
@@ -3547,7 +3547,7 @@ dictionary <dfn id="dfn-CryptoKeyPair">CryptoKeyPair</dfn> {
               <td />
             </tr>
             <tr>
-              <td><a href="#hkdf-ctr">HKDF-CTR</a></td>
+              <td><a href="#hkdf">HKDF</a></td>
               <td />
               <td />
               <td />
@@ -14570,18 +14570,16 @@ required <a href="#dfn-HashAlgorithmIdentifier">HashAlgorithmIdentifier</a> <dfn
         </div>
       </div>
       
-      <div id="hkdf-ctr" class="section">
-        <h3>HKDF-CTR</h3>
-        <div id="hkdf-ctr-description" class="section">
+      <div id="hkdf" class="section">
+        <h3>HKDF</h3>
+        <div id="hkdf-description" class="section">
           <h4>Description</h4>
           <p class="norm">This section is non-normative.</p>
           <p>
-            The <code>"HKDF-CTR"</code> algorithm identifier is used to
+            The <code>"HKDF"</code> algorithm identifier is used to
             perform key derivation using the extraction-then-expansion approach described in
-            [<a href="#SP800-56C">NIST SP800-56C</a>], using HMAC in counter mode, and
-            using the SHA hash functions defined in this specification
-            as described in Section 5.1 of
-            [<a href="#SP800-108">NIST SP800-108</a>].
+            [<a href="#RFC5869">RFC 5869</a>] and
+            using the SHA hash functions defined in this specification.
           </p>
           <p>
             <a href="#dfn-applicable-specification">Other specifications</a>
@@ -14589,11 +14587,11 @@ required <a href="#dfn-HashAlgorithmIdentifier">HashAlgorithmIdentifier</a> <dfn
             Such specifications must define the digest operation for the additional hash algorithms.
           </p>
         </div>
-        <div id="hkdf-ctr-registration" class="section">
+        <div id="hkdf-registration" class="section">
           <h4>Registration</h4>
           <p>
             The <a href="#recognized-algorithm-name">recognized algorithm name</a>
-            for this algorithm is <code>"HKDF-CTR"</code>.
+            for this algorithm is <code>"HKDF"</code>.
           </p>
           <table>
             <thead>
@@ -14606,7 +14604,7 @@ required <a href="#dfn-HashAlgorithmIdentifier">HashAlgorithmIdentifier</a> <dfn
             <tbody>
               <tr>
                 <td>deriveBits</td>
-                <td><a href="#dfn-HkdfCtrParams">HkdfCtrParams</a></td>
+                <td><a href="#dfn-HkdfParams">HkdfParams</a></td>
                 <td><a href="#dfn-ArrayBuffer">ArrayBuffer</a></td>
               </tr>
               <tr>
@@ -14617,25 +14615,25 @@ required <a href="#dfn-HashAlgorithmIdentifier">HashAlgorithmIdentifier</a> <dfn
               <tr>
                 <td>Get key length</td>
                 <td>None</td>
-                <td>Integer or null</td>
+                <td>null</td>
               </tr>
             </tbody>
           </table>
         </div>
-        <div id="hkdf-ctr-params" class="section">
-          <h4>HkdfCtrParams dictionary</h4>
+        <div id="hkdf-params" class="section">
+          <h4>HkdfParams dictionary</h4>
           <x:codeblock language="idl">
-dictionary <dfn id="dfn-HkdfCtrParams">HkdfCtrParams</dfn> : <a href="#dfn-Algorithm">Algorithm</a> {
-<span class="comment">// The algorithm to use with HMAC (e.g.: <a href="#alg-sha-256">SHA-256</a>)</span>
-required <a href="#dfn-HashAlgorithmIdentifier">HashAlgorithmIdentifier</a> <dfn id="dfn-HkdfCtrParams-hash">hash</dfn>;
-<span class="comment">// A bit string that corresponds to the label that identifies the purpose for the derived keying material.</span>
-required BufferSource <dfn id="dfn-HkdfCtrParams-label">label</dfn>;
-<span class="comment">// A bit string that corresponds to the context of the key derivation, as described in Section 5 of [<a href="#SP800-108">NIST SP800-108</a>]</span>
-required BufferSource <dfn id="dfn-HkdfCtrParams-context">context</dfn>;
+dictionary <dfn id="dfn-HkdfParams">HkdfParams</dfn> : <a href="#dfn-Algorithm">Algorithm</a> {
+  <span class="comment">// The algorithm to use with HMAC (e.g.: <a href="#alg-sha-256">SHA-256</a>)</span>
+  required <a href="#dfn-HashAlgorithmIdentifier">HashAlgorithmIdentifier</a> <dfn id="dfn-HkdfParams-hash">hash</dfn>;
+  <span class="salt">// A bit string that corresponds to the salt used in the extract step.</span>
+  optional BufferSource <dfn id="dfn-HkdfParams-salt">salt</dfn>;
+  <span class="comment">// A bit string that corresponds to the context and application specific context for the derived keying material.</span>
+  optional BufferSource <dfn id="dfn-HkdfParams-info">info</dfn>;
 };
           </x:codeblock>
         </div>
-        <div id="hkdf2-ctr-operations" class="section">
+        <div id="hkdf2-operations" class="section">
           <h4>Operations</h4>
           <dl>
             <dt>Derive Bits</dt>
@@ -14648,7 +14646,7 @@ required BufferSource <dfn id="dfn-HkdfCtrParams-context">context</dfn>;
                 </li>
                 <li>
                   <p>
-                    If the <a href="#dfn-HkdfCtrParams-hash">hash</a> member of
+                    If the <a href="#dfn-HkdfParams-hash">hash</a> member of
                     <var>normalizedAlgorithm</var> does not describe a <a href="#algorithms">
                     recognized algorithm</a> that supports the digest operation, then
                     <a href="#concept-throw">throw</a> a
@@ -14657,58 +14655,42 @@ required BufferSource <dfn id="dfn-HkdfCtrParams-context">context</dfn>;
                 </li>
                 <li>
                   <p>
-                    Let <var>extractKey</var> be a key equal to <var>n</var> zero bits where
-                    <var>n</var> is the size of the output of the hash function described by the
-                    <a href="#dfn-HkdfCtrParams-hash">hash</a> member of
-                    <var>normalizedAlgorithm</var>.
-                  </p>
-                </li>
-                <li>
-                  <p>
-                    Let <var>prf</var> be the MAC Generation function described in Section 4 of
-                    [<a href="#fips-pub-198-1">FIPS PUB 198-1</a>] using the hash function
-                    described by the <a href="#dfn-HkdfCtrParams-hash">hash</a> member of
-                    <var>normalizedAlgorithm</var>.
-                  </p>
-                </li>
-                <li>
-                  <p>
-                    Let <var>keyDerivationKey</var> be the result of performing <var>prf</var>
-                    using <var>extractKey</var> as the key and the secret represented by [[<a
+                    Let <var>keyDerivationKey</var> be the secret represented by [[<a
                     href="#dfn-CryptoKey-slot-handle">handle</a>]] internal slot of <var>key</var>
                     as the message.
                   </p>
                 </li>
                 <li>
                   <p>
-                    Let <var>result</var> be the result of performing the KDF in counter
-                    mode operation described in Section 5.1 of
-                    [<a href="#SP800-108">NIST SP800-108</a>] using:
+                    Let <var>result</var> be the result of performing the HKDF extract and then
+                    the HKDF expand step described in Section 2 of
+                    [<a href="#RFC5869">RFC 5869</a>] using:
                   </p>
                   <ul>
                     <li>
                       <p>
-                        <var>prf</var> as the Pseudo-Random Function, <var>PRF</var>,
+                        the <a href="#dfn-HkdfParams-hash">hash</a> member of
+                        <var>normalizedAlgorithm</var> as <var>Hash</var>,
                       </p>
                     </li>
                     <li>
                       <p>
-                        <var>keyDerivationKey</var> as the Key derivation key,
-                        <var>K<sub>I</sub></var>,
+                        <var>keyDerivationKey</var> as the input keying material,
+                        <var>IKM</var>,
                       </p>
                     </li>
                     <li>
                       <p>
-                        <a href="#concept-contents-of-arraybuffer">the contents of</a> the <a
-                        href="#dfn-HkdfCtrParams-label">label</a> member of
-                        <var>normalizedAlgorithm</var> as <var>Label</var>,
+                        if present <a href="#concept-contents-of-arraybuffer">the contents of</a> the <a
+                        href="#dfn-HkdfParams-salt">salt</a> member of
+                        <var>normalizedAlgorithm</var> as <var>salt</var>,
                       </p>
                     </li>
                     <li>
                       <p>
-                        <a href="#concept-contents-of-arraybuffer">the contents of</a> the <a
-                        href="#dfn-HkdfCtrParams-label">context</a> member of
-                        <var>normalizedAlgorithm</var> as <var>Context</var>,
+                        if present <a href="#concept-contents-of-arraybuffer">the contents of</a> the <a
+                        href="#dfn-HkdfParams-info">info</a> member of
+                        <var>normalizedAlgorithm</var> as <var>info</var>,
                       </p>
                     </li>
                     <li>
@@ -14716,17 +14698,6 @@ required BufferSource <dfn id="dfn-HkdfCtrParams-context">context</dfn>;
                         <var>length</var> as the value of <var>L</var>,
                       </p>
                     </li>
-                    <li>
-                      <p>
-                        32 as the value of <var>r</var>, and
-                      </p>
-                    </li>
-                    <li>
-                      <p>
-                        the 32-bit little-endian binary encoding of <var>length</var>
-                        as the encoded length value [<var>L</var>]<sub>2</sub>.
-                      </p>
-                    </li>
                   </ul>
                 </li>
                 <li>
@@ -14786,7 +14757,7 @@ required BufferSource <dfn id="dfn-HkdfCtrParams-context">context</dfn>;
                         <li>
                           <p>
                             Set the <a href="#dfn-KeyAlgorithm-name">name</a> attribute of
-                            <var>algorithm</var> to <code>"HKDF-CTR"</code>.
+                            <var>algorithm</var> to <code>"HKDF"</code>.
                           </p>
                         </li>
                         <li>
@@ -15365,12 +15336,6 @@ window.crypto.subtle.generateKey(aesAlgorithmKeyGen, false, ["encrypt"]).then(
               <cite><a href="http://csrc.nist.gov/publications/nistpubs/800-56C/SP-800-56C.pdf">
               NIST Special Publication 800-56C: Recommendation for Key Derivation through
               Extraction-then-Expansion</a></cite>, November 2011, NIST.
-            </dd>
-            <dt id="SP800-108">NIST SP 800-108</dt>
-            <dd>
-              <cite><a href="http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf">
-              NIST Special Publication 800-108: Recommendation for Key Derivation Using
-              Pseudorandom Functions (Revised)</a></cite>, October 2009, NIST.
             </dd>
              <dt id="RFC2119">RFC 2119</dt>
              <dd>
@@ -15422,7 +15387,13 @@ window.crypto.subtle.generateKey(aesAlgorithmKeyGen, false, ["encrypt"]).then(
               <cite><a href="http://www.ietf.org/rfc/rfc5480.txt">Elliptic Curve Cryptography Subject
               Public Key Information</a></cite>,
               S. Turner, D. Brown, K. Yiu, R. Housley, T. Polk. IETF.
-             </dd> 
+             </dd>
+             <dt id="RFC5869">RFC 5869</dt>
+             <dd>
+               <cite><a href="https://www.ietf.org/rfc/rfc5869.txt">HMAC-based Extract-and-Expand Key
+               Derivation Function (HKDF)"</a></cite>,
+               H. Krawczyk, P. Eronen. IETF.
+             </dd>
              <dt id="RFC5915">RFC 5915</dt>
              <dd>
               <cite><a href="http://www.ietf.org/rfc/rfc5915.txt">Elliptic Curve Private Key Structure

From 32a8ee4e6d8a8e60baf7c229588446a8197652b6 Mon Sep 17 00:00:00 2001
From: Jim Schaad <ietf@augustcellars.com>
Date: Wed, 24 Aug 2016 15:10:39 -0700
Subject: [PATCH 2/2] Make Salt and info required

Change so that salt and info are now required fields
---
 spec/Overview-WebCryptoAPI.xml |  6 +++---
 spec/Overview.html             | 10 +++++-----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/spec/Overview-WebCryptoAPI.xml b/spec/Overview-WebCryptoAPI.xml
index 4d51396..c9f9ea8 100644
--- a/spec/Overview-WebCryptoAPI.xml
+++ b/spec/Overview-WebCryptoAPI.xml
@@ -14732,7 +14732,7 @@ dictionary <dfn id="dfn-HmacKeyGenParams">HmacKeyGenParams</dfn> : <a href="#dfn
 dictionary <dfn id="dfn-HkdfParams">HkdfParams</dfn> : <a href="#dfn-Algorithm">Algorithm</a> {
   <span class="comment">// The algorithm to use with HMAC (e.g.: <a href="#alg-sha-256">SHA-256</a>)</span>
   required <a href="#dfn-HashAlgorithmIdentifier">HashAlgorithmIdentifier</a> <dfn id="dfn-HkdfParams-hash">hash</dfn>;
-  <span class="salt">// A bit string that corresponds to the salt used in the extract step.</span>
+  <span class="comment">// A bit string that corresponds to the salt used in the extract step.</span>
   required BufferSource <dfn id="dfn-HkdfParams-salt">salt</dfn>;
   <span class="comment">// A bit string that corresponds to the context and application specific context for the derived keying material.</span>
   required BufferSource <dfn id="dfn-HkdfParams-info">info</dfn>;
@@ -14787,14 +14787,14 @@ dictionary <dfn id="dfn-HkdfParams">HkdfParams</dfn> : <a href="#dfn-Algorithm">
                     </li>
                     <li>
                       <p>
-                        if present <a href="#concept-contents-of-arraybuffer">the contents of</a> the <a
+                        <a href="#concept-contents-of-arraybuffer">the contents of</a> the <a
                         href="#dfn-HkdfParams-salt">salt</a> member of
                         <var>normalizedAlgorithm</var> as <var>salt</var>,
                       </p>
                     </li>
                     <li>
                       <p>
-                        if present <a href="#concept-contents-of-arraybuffer">the contents of</a> the <a
+                        <a href="#concept-contents-of-arraybuffer">the contents of</a> the <a
                         href="#dfn-HkdfParams-info">info</a> member of
                         <var>normalizedAlgorithm</var> as <var>info</var>,
                       </p>
diff --git a/spec/Overview.html b/spec/Overview.html
index 1a0cb31..44d4970 100644
--- a/spec/Overview.html
+++ b/spec/Overview.html
@@ -28,7 +28,7 @@
   <link rel="stylesheet" href="//www.w3.org/StyleSheets/TR/2016/W3C-ED" type="text/css" /></head>
 
   <body>
-    <div class="head"><p><a class="logo" href="http://www.w3.org/"><img src="https://www.w3.org/StyleSheets/TR/2016/logos/W3C" width="72" height="48" alt="W3C" /></a></p><h1>Web Cryptography API</h1><h2>W3C Editor’s Draft <em>NaN @@ 2016</em></h2><dl><dt>Latest Editor’s Draft:</dt><dd><a href="http://w3c.github.io/webcrypto/Overview.html">http://w3c.github.io/webcrypto/Overview.html</a></dd><dt>Latest Published Version:</dt><dd><a href="http://www.w3.org/TR/WebCryptoAPI/">http://www.w3.org/TR/WebCryptoAPI/</a></dd><dt>Previous Version(s):</dt><dd><a href="https://dvcs.w3.org/hg/webcrypto-api/raw-file/0fe9b34c13fb/spec/Overview.html">https://dvcs.w3.org/hg/webcrypto-api/raw-file/0fe9b34c13fb/spec/Overview.html</a></dd><dt>Editor:</dt><dd><a href="http://www.netflix.com/">Mark Watson</a>, Netflix &lt;watsonm@netflix.com&gt;</dd><dt>Participate:</dt><dd><a href="https://github.com/w3c/webcrypto">We are on GitHub</a>.
+    <div class="head"><p><a class="logo" href="http://www.w3.org/"><img src="https://www.w3.org/StyleSheets/TR/2016/logos/W3C" width="72" height="48" alt="W3C" /></a></p><h1>Web Cryptography API</h1><h2>W3C Editor’s Draft <em>24 August 2016</em></h2><dl><dt>Latest Editor’s Draft:</dt><dd><a href="http://w3c.github.io/webcrypto/Overview.html">http://w3c.github.io/webcrypto/Overview.html</a></dd><dt>Latest Published Version:</dt><dd><a href="http://www.w3.org/TR/WebCryptoAPI/">http://www.w3.org/TR/WebCryptoAPI/</a></dd><dt>Previous Version(s):</dt><dd><a href="https://dvcs.w3.org/hg/webcrypto-api/raw-file/0fe9b34c13fb/spec/Overview.html">https://dvcs.w3.org/hg/webcrypto-api/raw-file/0fe9b34c13fb/spec/Overview.html</a></dd><dt>Editor:</dt><dd><a href="http://www.netflix.com/">Mark Watson</a>, Netflix &lt;watsonm@netflix.com&gt;</dd><dt>Participate:</dt><dd><a href="https://github.com/w3c/webcrypto">We are on GitHub</a>.
           </dd><dd>
           Send feedback to <a href="mailto:public-webcrypto@w3.org?subject=%5BWebCryptoAPI%5D">public-webcrypto@w3.org</a> (<a href="http://lists.w3.org/Archives/Public/public-webcrypto/">archives</a>).
           </dd><dd><a href="https://github.com/w3c/webcrypto/issues/new">File a bug</a>
@@ -60,7 +60,7 @@ <h2>Status of this Document</h2>
         report can be found in the <a href="http://www.w3.org/TR/">W3C technical
           reports index</a> at http://www.w3.org/TR/.
       </em></p><p>
-        This document is the NaN @@ 2016 <b>Editor’s Draft</b> of the
+        This document is the 24 August 2016 <b>Editor’s Draft</b> of the
         <cite>Web Cryptography API</cite> specification.
       
       Please send comments about this document to
@@ -14255,7 +14255,7 @@ <h4>31.3. HkdfParams dictionary</h4>
 dictionary <dfn id="dfn-HkdfParams">HkdfParams</dfn> : <a href="#dfn-Algorithm">Algorithm</a> {
   <span class="comment">// The algorithm to use with HMAC (e.g.: <a href="#alg-sha-256">SHA-256</a>)</span>
   required <a href="#dfn-HashAlgorithmIdentifier">HashAlgorithmIdentifier</a> <dfn id="dfn-HkdfParams-hash">hash</dfn>;
-  <span class="salt">// A bit string that corresponds to the salt used in the extract step.</span>
+  <span class="comment">// A bit string that corresponds to the salt used in the extract step.</span>
   required BufferSource <dfn id="dfn-HkdfParams-salt">salt</dfn>;
   <span class="comment">// A bit string that corresponds to the context and application specific context for the derived keying material.</span>
   required BufferSource <dfn id="dfn-HkdfParams-info">info</dfn>;
@@ -14309,13 +14309,13 @@ <h4>31.4. Operations</h4>
                     </li>
                     <li>
                       <p>
-                        if present <a href="#concept-contents-of-arraybuffer">the contents of</a> the <a href="#dfn-HkdfParams-salt">salt</a> member of
+                        <a href="#concept-contents-of-arraybuffer">the contents of</a> the <a href="#dfn-HkdfParams-salt">salt</a> member of
                         <var>normalizedAlgorithm</var> as <var>salt</var>,
                       </p>
                     </li>
                     <li>
                       <p>
-                        if present <a href="#concept-contents-of-arraybuffer">the contents of</a> the <a href="#dfn-HkdfParams-info">info</a> member of
+                        <a href="#concept-contents-of-arraybuffer">the contents of</a> the <a href="#dfn-HkdfParams-info">info</a> member of
                         <var>normalizedAlgorithm</var> as <var>info</var>,
                       </p>
                     </li>