Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:98254
Return-Path: <fsb@thefsb.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 91249 invoked from network); 8 Feb 2017 01:23:11 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 8 Feb 2017 01:23:11 -0000
Authentication-Results: pb1.pair.com smtp.mail=fsb@thefsb.org; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=fsb@thefsb.org; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain thefsb.org designates 108.166.43.115 as permitted sender)
X-PHP-List-Original-Sender: fsb@thefsb.org
X-Host-Fingerprint: 108.166.43.115 smtp115.ord1c.emailsrvr.com  
Received: from [108.166.43.115] ([108.166.43.115:42944] helo=smtp115.ord1c.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 21/DE-03389-CF27A985 for <internals@lists.php.net>; Tue, 07 Feb 2017 20:23:09 -0500
Received: from smtp15.relay.ord1c.emailsrvr.com (localhost [127.0.0.1])
	by smtp15.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id A3B75201CF;
	Tue,  7 Feb 2017 20:23:05 -0500 (EST)
X-Auth-ID: fsb@thefsb.org
Received: by smtp15.relay.ord1c.emailsrvr.com (Authenticated sender: fsb-AT-thefsb.org) with ESMTPSA id 7CA5B2016A;
	Tue,  7 Feb 2017 20:23:05 -0500 (EST)
X-Sender-Id: fsb@thefsb.org
Received: from [10.0.1.2] (c-66-30-62-12.hsd1.ma.comcast.net [66.30.62.12])
	(using TLSv1.2 with cipher AES256-GCM-SHA384)
	by 0.0.0.0:465 (trex/5.7.12);
	Tue, 07 Feb 2017 20:23:05 -0500
To: "Scott Arciszewski" <scott@paragonie.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Date: Tue, 07 Feb 2017 20:22:54 -0500
Message-ID: <B73DBA12-A9D6-40D5-86FA-0BE188310BB9@thefsb.org>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; markup=markdown
Content-Transfer-Encoding: quoted-printable
X-Mailer: MailMate (1.9.6r5319)
Subject: Re: [PHP-DEV] hash_hkdf() signature
From: fsb@thefsb.org ("Tom Worster")

On 2/7/17 3:22 PM, Scott Arciszewski wrote:
> One such real-world use case: Defuse v1 used HKDF without a salt.
>
> https://github.com/defuse/php-encryption/blob/b87737b2eec06b13f025cabea=
847338fa203d1b4/Crypto.php#L157-L170
> https://github.com/defuse/php-encryption/blob/b87737b2eec06b13f025cabea=
847338fa203d1b4/Crypto.php#L358
>
> In version 2, we included a 32-byte random salt for each encryption, =

> which
> was stored next to the AES-256-CTR nonce in the ciphertext. (Both the =

> nonce
> and HKDF-salt, as well as the version information header, are covered =

> by
> the HMAC of the ciphertext.)
>
> The end result: Instead of having to worry about birthday collisions =

> after
> you've seen 2^64 AES outputs (because 128-bit randomly generated =

> nonce),
> now you need 2^192 before you have a useful collision.

In this situation shouldn't you either use a longer random IKM or not =

use HKDF at all?

If your IKM is so weak that it needs a salt then shouldn't you use an =

iterated hash instead of HKDF?

Tom