1

I am in the processing of implementing a CNG ECDH and then I am trying to use the BCRYPT_KDF_SP80056A_CONCAT KDF to derive a symmetric AES256 key (BCryptDeriveKey()). I am having a problem (i always get back 0xc000000d status returned.)

i have generated a shared secret successfully and I have created the buffer desc "BCryptBufferDesc" which has an array of "BCryptBuffer" with 1 AlgorithmID, 1 PartyU and 1 PartyV "other info". I think I have the structures all defined and populated properly. I am just picking some "values" for PartyU and PartyV bytes (i tried 1 byte and 16 bytes for each but i get the same result). NIST documentation gives no details about what the other info should be..

i have followed the Microsoft web site for creating these structures, using their strings, defines, etc. I tried with the standard L"HASH" kdf and it works and i get the same derived key on both "sides", but with the concatenation KDF i always get the same 0xC000000D status back..

Has anybody else been able to successfully use BCRYPT_KDF_SP80056A_CONCAT CNG KDF? If you did, do you have any hints?

Daniel Scire
  • 221
  • 1
  • 9

1 Answers1

2

This worked for me:

    ULONG derivedKeySize = 32;
    BCryptBufferDesc params;
    params.ulVersion = BCRYPTBUFFER_VERSION;
    params.cBuffers = 3;
    params.pBuffers = new BCryptBuffer[params.cBuffers];
    params.pBuffers[0].cbBuffer = 0;
    params.pBuffers[0].BufferType = KDF_ALGORITHMID;
    params.pBuffers[0].pvBuffer = new byte[0];
    params.pBuffers[1].cbBuffer = 0;
    params.pBuffers[1].BufferType = KDF_PARTYUINFO;
    params.pBuffers[1].pvBuffer = new byte[0];
    params.pBuffers[2].cbBuffer = 0;
    params.pBuffers[2].BufferType = KDF_PARTYVINFO;
    params.pBuffers[2].pvBuffer = new byte[0];

    NTSTATUS rv = BCryptDeriveKey(secretHandle, L"SP800_56A_CONCAT", &params, NULL, 0, &derivedKeySize, 0);
    if (rv != 0){/*fail*/}

    UCHAR derivedKey = new UCHAR[derivedKeySize];

    rv = BCryptDeriveKey(secretHandle, L"SP800_56A_CONCAT", &params, derivedKey, derivedKeySize, &derivedKeySize, 0);
    if (rv  != 0){/*fail*/}
Rasmus Faber
  • 48,631
  • 24
  • 141
  • 189