Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:100458 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 1893 invoked from network); 7 Sep 2017 23:14:56 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 7 Sep 2017 23:14:56 -0000 Authentication-Results: pb1.pair.com smtp.mail=narf@devilix.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=narf@devilix.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain devilix.net designates 209.85.128.172 as permitted sender) X-PHP-List-Original-Sender: narf@devilix.net X-Host-Fingerprint: 209.85.128.172 mail-wr0-f172.google.com Received: from [209.85.128.172] ([209.85.128.172:37284] helo=mail-wr0-f172.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 62/69-10715-EE2D1B95 for ; Thu, 07 Sep 2017 19:14:55 -0400 Received: by mail-wr0-f172.google.com with SMTP id k20so1809404wre.4 for ; Thu, 07 Sep 2017 16:14:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=devilix.net; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=qLyMtPrMLRWEaefbPRjxo7iaT+Wn/LlbHPq7B3MvVL8=; b=EIgN/p5DgUrbmk0rok3giOVtYKnpYJPPs8gGtKj4u6we0qIIPNo+O35Km+Wj1uWJ20 Um/5mgJ/40+vXuFfuIC+q7gWGBO0oG7D3WzezCflBAbWeQXz3zHJR0Es1CHE/rGhZ0iF vmNZpLDaqrbQ6/+c5mLkNy8RLyDrin3buk/yY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=qLyMtPrMLRWEaefbPRjxo7iaT+Wn/LlbHPq7B3MvVL8=; b=RuUH1vKOQyBXzTqWczPNsNJfd9tLCP/ZS3F/nwbMc2S7Z2YbmNycATzmlskplH+wPo R5IoSuxIawC0wrjuvxDSiSyv5NJCOHbWjx5YmrLmP7rjP5GcdPBL/d4TpYIEjNXMohdP i/KMBg3N2DgH81WfAWcduYaOmgBKp2x+IBb9FDTI3T4LGJZKQrTiUAQsbmIOzzRT9Loj GaXO9LlEcI62gvcWDRXTHSfidR7nfvwG6chDt/vorBQdntLJPQ9IkBCyX3Xk0mpHZyI6 sP8KRMnPOmXFeLQGW5YTlkSfJzLd/Rjy1NXz7yXfFENnEGU+69f2aShDSexOF46Xtgz4 HVOw== X-Gm-Message-State: AHPjjUhXGBV3B/qnu9IYltxA3NGWnY8VhLD2M0JXL2gCm6QjfASpoMmu NsMILy7NGEfsGHQTQ6JY4gOL6T1Pb7X1 X-Google-Smtp-Source: ADKCNb5zvwgoz50ggYLNORqXWnUfdaapoLx3bBAWnKTf874fSakK0E9c9RoGGlW7um22nOx1XHqPySUhyJhM+DY07Po= X-Received: by 10.223.196.238 with SMTP id o43mr642651wrf.276.1504826091916; Thu, 07 Sep 2017 16:14:51 -0700 (PDT) MIME-Version: 1.0 Received: by 10.223.139.3 with HTTP; Thu, 7 Sep 2017 16:14:51 -0700 (PDT) In-Reply-To: References: Date: Fri, 8 Sep 2017 02:14:51 +0300 Message-ID: To: Yasuo Ohgaki Cc: "internals@lists.php.net" , Nikita Popov Content-Type: text/plain; charset="UTF-8" Subject: Re: [PHP-DEV] Re: hash_hkdf() signature and return value From: narf@devilix.net (Andrey Andreev) Hi, On Fri, Sep 8, 2017 at 12:32 AM, Yasuo Ohgaki wrote: > > The reason why latter is a lot more secure is related to Andrey's > misunderstanding. > He said "when ikm is cryptographically strong, salt wouldn't add no more > entropy. > so salt does not matter". (not exact sentence) > What he said partially true, but wrong in a sense of key security. > I have never said that. You are aware enough of your own English fluency, and should know not to perephrase other people's words, as you are completely twisting their meaning. > > Other misunderstanding should be noted is what HKDF for. It's for general > purpose KDF as the RFC described in HKDF application section. Andrey said > "I'm cherry picking sentence", but the section should be what the HKDF for. > The section even describes obscure usage, HKDF for CSPRNG. This usage > is not even key derivation. > You ARE cherry-picking, and ignoring all evidence that contradicts you: > This one I'm not sure misunderstanding or not, but probably it is. > HKDF is designed for any ikm and works with appropriate usage. Very > weak ikm like user entered password can be handled relatively safely. > > $safe_key = hash_hkdf("sha256", 'mypassword', 0, '', > $csprng_generated_random_key); > // $csprng_generated_random_key should be kept secret because ikm is too > weak > > Without salt, it's disaster. Please note that salt is the last optional > parameter currently. > > $dangerous_key = hash_hkdf("sha256", 'mypassword'); // Disaster! > > With this usage, attackers can build pre hashed dictionary. Even when they > don't have > dictionary, usual brute force attack is very effective. One may think > additional hashing > would mitigate risk. i.e. > > $dangerous_key = hash_hkdf("sha256", hash("sha256", 'mypassword')); // > Disaster! > > This does not help much when algorithm is known to attackers. Brute force > attack is > effective still. Adding secret salt(key) helps with this usage also. > IKM must always be strong; this is explicitly stated in the RFC, as I already pointed out here: https://externals.io/message/98639#98874 And the reasons why were already explained in very simple terms here: https://externals.io/message/98250#98272 Enough already. Cheers, Andrey.