Issues with CryptoSys KeyExchange

1. Key Derivation Function Based on Concatenation

You will not be able to reproduce the test vectors provided in section D.5.1 of ANSI X9.42-2003 Examples of the Key Derivation Function Based on Concatenation for the simple reason that the test vectors in X9.42 are wrong!

The text in X9.42 describes the basic key derivation formula using concatenation:

K = H( ZZ || Counter || OtherInfo )

This is correct and is what we use in the KXDH_DeriveKeyingData() function and DeriveKeyingData methods in CryptoSys KeyExchange. However, in their test vectors in Appendix D, the authors of X9.42 appear to be using the incorrect formula

K = H( ZZ || OtherInfo || Counter )

The correct test vectors are as follows:

D.5.1.1 Invocation 1 where OtherInfo = "HMAC Key"

X9.42 Z_1 (wrong): 95D6 41F4 2645 88E4 E2B6 E3E9 1345 62BC 1823 69EB
Correct Z_1      : bc98eb018cb00ee26d1f97a15ae166912a7ac4c5

D.5.1.1 Invocation 2 where OtherInfo = "TDEA Key"

X9.42 Z_1 (wrong): EA35 A6C8 84D2 4D73 4793 9E1F DA75 FD79 95CF D4AC
Correct Z_1      : 91df6ba74b2b634cab78715118309dc580fe8c4d

D.5.1.2 where OtherInfo = "HMAC and TDEA Keys"

X9.42 Z_1 (wrong): F13D BE8D 2C11 526C 6F6E 0BAE 7C88 47AB 5FFA 5844
Correct Z_1      : 87986e5d66b7b949431049cce68c6c174c001c46

More details at X9.42 Test Vectors Are Wrong.

Many thanks to Wolfgang Ehrhardt for solving this puzzle.

Resolution

This is not a problem with CryptoSys KeyExchange but rather a mistake in the original X9.42 documentation.

This page last updated: 9 July 2008

CryptoSys Home | Search | Cryptography Software Code | Contact us
Copyright © 2006-8 D.I. Management Services Pty Limited ABN 78 083 210 584, Sydney, Australia. All rights reserved.
<www.di-mgt.com.au> <www.cryptosys.net>