Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:100467 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 49657 invoked from network); 8 Sep 2017 10:46:38 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 8 Sep 2017 10:46:38 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:37368] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 09/AE-10715-D0572B95 for ; Fri, 08 Sep 2017 06:46:38 -0400 Received: (qmail 37525 invoked by uid 89); 8 Sep 2017 10:46:33 -0000 Received: from unknown (HELO mail-io0-f181.google.com) (yohgaki@ohgaki.net@209.85.223.181) by 0 with ESMTPA; 8 Sep 2017 10:46:33 -0000 Received: by mail-io0-f181.google.com with SMTP id y123so4934137iod.0 for ; Fri, 08 Sep 2017 03:46:33 -0700 (PDT) X-Gm-Message-State: AHPjjUhkpXO2l/+ywUMkSAXD6S2F4LFdcpk43Znf3+mI9Ug+qMD6TooZ OxuWdOkNeQCmd8eObxb9LkkV6hQ7Tg== X-Google-Smtp-Source: AOwi7QCEYCtd4iu6+Fta7X2SDQWZtzCxBitQKPVN6egbBWUbfMUBQm8SFo2Y8oXXMP32gFzHzncK+/pvORi5KNxiT4k= X-Received: by 10.107.55.198 with SMTP id e189mr2486009ioa.160.1504867587970; Fri, 08 Sep 2017 03:46:27 -0700 (PDT) MIME-Version: 1.0 Received: by 10.79.72.5 with HTTP; Fri, 8 Sep 2017 03:45:46 -0700 (PDT) In-Reply-To: References: Date: Fri, 8 Sep 2017 19:45:46 +0900 X-Gmail-Original-Message-ID: Message-ID: To: Niklas Keller Cc: Andrey Andreev , "internals@lists.php.net" , Nikita Popov Content-Type: multipart/alternative; boundary="001a114acd8c04007c0558ab4a1b" Subject: Re: [PHP-DEV] Re: hash_hkdf() signature and return value From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a114acd8c04007c0558ab4a1b Content-Type: text/plain; charset="UTF-8" Hi Niklas, On Fri, Sep 8, 2017 at 7:27 PM, Yasuo Ohgaki wrote: > Hi Niklas, > > On Fri, Sep 8, 2017 at 6:38 PM, Niklas Keller wrote: > >> I finally find out what's wrong. >>> >> >> No, you didn't. You still want to use user-supplied passwords as IKM. >> HKDF is not suited for that purpose. >> > > Andrey and Nikita clearly misunderstood the RFC 5869. > This is what was wrong in previous discussions. > > Weak key usage is smaller issue as I insisted HKDF is perfectly > good for CSRF token, API keys and URI signing. These 3 would be > the most common PHP HKDF applications. > > What do you mean by "No, you didn't"? > > I totally agree with that weak key has more risks. > The risk is too obvious for any algorithms. > Suppose we have "A" as the key, there is no protection at all. > Not even PBKDF2 or anything can protect such passwords. > > I think you don't mean users shouldn't use key derivation with password. > Users may use HKDF and password with the security level of the password. > I was thinking in password hashing context, not key derivation. I was wrong. (as well as you) I take it back last statement. Even with super weak passwords, attackers cannot guess the derived keys when "Salt" is used properly. i.e. Strong random "secret" salt makes derived key a perfect random. Although, there is minor issues (i.e. misuse), users can safely use HKDF with any passwords. Now, please discuss the most important. Are we going to fix the hash_hkdf() API mess or not? Regards, -- Yasuo Ohgaki --001a114acd8c04007c0558ab4a1b--