Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:98258
Return-Path: <narf@devilix.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 20000 invoked from network); 8 Feb 2017 11:27:26 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 8 Feb 2017 11:27:26 -0000
Authentication-Results: pb1.pair.com smtp.mail=narf@devilix.net; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=narf@devilix.net; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain devilix.net designates 74.125.82.172 as permitted sender)
X-PHP-List-Original-Sender: narf@devilix.net
X-Host-Fingerprint: 74.125.82.172 mail-ot0-f172.google.com  
Received: from [74.125.82.172] ([74.125.82.172:35427] helo=mail-ot0-f172.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id F5/51-33872-D900B985 for <internals@lists.php.net>; Wed, 08 Feb 2017 06:27:25 -0500
Received: by mail-ot0-f172.google.com with SMTP id 65so110297332otq.2
        for <internals@lists.php.net>; Wed, 08 Feb 2017 03:27:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=devilix.net; s=google;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=dNk6eaeQbdvm0Yg4Ymbe+DTLm5Aynwpe2DX+DA3PlGE=;
        b=BcNODrlwM93gJ8ZfFvogKdt1V5LgktflWDD9WhfgGKsIKGosqppS1f/w9HO7ylnRH1
         SYUaVtnyTfMRBNioFdkS0AIdywTdJzkGS7jdBZ0n6KPKjnZ7tlEkg698ymm/L9UzeaZE
         xXNvTszhAf9bJ0/3OboXWty9sjjVnFRylJQuw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=dNk6eaeQbdvm0Yg4Ymbe+DTLm5Aynwpe2DX+DA3PlGE=;
        b=t7enbzmgjCp2o0ZhufGUFXFaWs/wH7XJe2jQQSz0LnLv6At/HHvnEj3XfK6mXldJpt
         om+bHpRPMTChxyQ9LIq5v/jwwWXz4LZhpiOaecj/WlDenlfvYFlyVND/qTjPp4ViMxE3
         Tm3uJhNbQNPY9cWLQRpTm83g9Dohv9OPDdpqvyucWlK7Tfjct9BHXD4efDQwAz2BTNXS
         prrvJ9EC89coAWRvh1CxJJFLFvfAIwT7nq75Ihpcp5CWe4nCG+YunMuwyr4wTo2JV4Jt
         EOzBgsSVOGB8nc/rnxoWT9lybHXIE+kQf+OQgpgJvah8qZGCp3UBj98O1u7i0y1Up+3G
         0Yrg==
X-Gm-Message-State: AMke39kpcTcP3kwrkuAkuFPd8775yfyUch0CNTCXbHDK6SKlaA6+hiIxRtYLKRH2fRGd8NBoibiJrzzgvJc3qQ==
X-Received: by 10.157.27.154 with SMTP id z26mr11707105otd.181.1486553243042;
 Wed, 08 Feb 2017 03:27:23 -0800 (PST)
MIME-Version: 1.0
Received: by 10.182.134.170 with HTTP; Wed, 8 Feb 2017 03:27:22 -0800 (PST)
In-Reply-To: <CAKws9z31kvAs16kU1QBfdTP+G0d21PYcRaCw2-8rdsZpsRxkFg@mail.gmail.com>
References: <CAGa2bXZWKqJpvWma1zdY8j+yFg-pMXBZZHpUHb=KhJQucCf+9Q@mail.gmail.com>
 <CAKws9z31kvAs16kU1QBfdTP+G0d21PYcRaCw2-8rdsZpsRxkFg@mail.gmail.com>
Date: Wed, 8 Feb 2017 13:27:22 +0200
Message-ID: <CAPhkiZzO_B5OZExTYGpwk1oBEb=J4Mvw3DYJznU3+etwSuxqsw@mail.gmail.com>
To: Scott Arciszewski <scott@paragonie.com>
Cc: Yasuo Ohgaki <yohgaki@ohgaki.net>, "internals@lists.php.net" <internals@lists.php.net>, 
	Nikita Popov <nikita.ppv@gmail.com>
Content-Type: multipart/alternative; boundary=001a113e026cfdddf405480325c6
Subject: Re: [PHP-DEV] hash_hkdf() signature
From: narf@devilix.net (Andrey Andreev)

--001a113e026cfdddf405480325c6
Content-Type: text/plain; charset=UTF-8

Hi,

On Tue, Feb 7, 2017 at 10:22 PM, Scott Arciszewski <scott@paragonie.com>
wrote:

>
>
> Although the RFC itself says that salts are optional, the argument to make
> them required in PHP's implementation has merit. The only downside is: If
> you're integrating with an implementation that doesn't require salts, and
> the application doesn't use salts, you're out of luck. Is that enough of a
> downside to dismiss an argument for better security? Maybe.
>
>
I said this in another thread already, but I'll re-iterate here ... Using a
salt should be recommended, but the suggestion here takes that out of
context and misses a key point - that the Length and Info params are not of
any less importance overall.

- Length is effectively the key size and is in fact not optional in
RFC5869*. You have to really know what you're doing if you don't use it,
and choose the hash function very carefully. I'd argue that if you know
this well enough, you'd also know what to do with Salt.
- Info is technically optional, but pretty much the feature why you'd
choose HKDF over other KDFs. It's what makes HKDF's more useful in that it
enables derivation of multiple OKMs from a single IKM. If you don't need
Info, chances are you don't need HKDF.

One could use Salt for the purposes of Info, but that would be misusing the
algorithm.
Over-focusing on Section 3.1 of the specification, while at the same time
ignoring Section 3.2 - arbitrarily making OptionalParamX mandatory because
the note about it mentions the word "security". Noble, but misguided.

I'd have no problem if ALL of the params were made non-optional - I'm all
for that, but either do that or leave it untouched.

* RFC 5869: https://tools.ietf.org/html/rfc5869

Cheers,
Andrey.

--001a113e026cfdddf405480325c6--