Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:98268 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 71743 invoked from network); 9 Feb 2017 05:35:39 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 9 Feb 2017 05:35:39 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:40332] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 95/D5-33872-5AFFB985 for ; Thu, 09 Feb 2017 00:35:35 -0500 Received: (qmail 37464 invoked by uid 89); 9 Feb 2017 05:35:30 -0000 Received: from unknown (HELO mail-qt0-f180.google.com) (yohgaki@ohgaki.net@209.85.216.180) by 0 with ESMTPA; 9 Feb 2017 05:35:30 -0000 Received: by mail-qt0-f180.google.com with SMTP id k15so187357593qtg.3 for ; Wed, 08 Feb 2017 21:35:29 -0800 (PST) X-Gm-Message-State: AMke39kTYbVx/seuoxnLTn1nVdp0YEYqNUskpgbCk0mWEr+SGklxc2i5Ke3f9kpPDj8f1/k6BQopR3ad/X1BJw== X-Received: by 10.237.61.20 with SMTP id g20mr1310250qtf.272.1486618523063; Wed, 08 Feb 2017 21:35:23 -0800 (PST) MIME-Version: 1.0 Received: by 10.140.19.232 with HTTP; Wed, 8 Feb 2017 21:34:42 -0800 (PST) In-Reply-To: References: Date: Thu, 9 Feb 2017 14:34:42 +0900 X-Gmail-Original-Message-ID: Message-ID: To: Andrey Andreev Cc: Scott Arciszewski , "internals@lists.php.net" , Nikita Popov Content-Type: multipart/alternative; boundary=001a11432912fc05540548125838 Subject: Re: [PHP-DEV] hash_hkdf() signature From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11432912fc05540548125838 Content-Type: text/plain; charset=UTF-8 Hi Andrey, On Wed, Feb 8, 2017 at 8:27 PM, Andrey Andreev wrote: > On Tue, Feb 7, 2017 at 10:22 PM, Scott Arciszewski > wrote: > >> >> >> Although the RFC itself says that salts are optional, the argument to >> make them required in PHP's implementation has merit. The only downside is: >> If you're integrating with an implementation that doesn't require salts, >> and the application doesn't use salts, you're out of luck. Is that enough >> of a downside to dismiss an argument for better security? Maybe. >> >> > I said this in another thread already, but I'll re-iterate here ... Using > a salt should be recommended, but the suggestion here takes that out of > context and misses a key point - that the Length and Info params are not of > any less importance overall. > From the HKDF algorithm, importance is clear. Salt >>> info > length. Salt is the most important to secure input key. You seem to think following is the most important. - Salt could be optional _only_ when input key is cryptographically strong. What this means is - Salt is absolute _mandatory_ parameter unless input key is absolutely strong key. - Length is effectively the key size and is in fact not optional in > RFC5869*. You have to really know what you're doing if you don't use it, > and choose the hash function very carefully. I'd argue that if you know > this well enough, > - Info is technically optional, but pretty much the feature why you'd > choose HKDF over other KDFs. It's what makes HKDF's more useful in that it > enables derivation of multiple OKMs from a single IKM. If you don't need > Info, chances are you don't need HKDF. > There is huge difference between "Required to be implemented" and "Required/important as parameter". Implementation requirement is _nothing_ to do with parameter requirement/importance. 'salt' could be omitted the application that input key is always strong. This cannot be applied to generic API like hash_hkdf() that would be used by countless applications. Why you recommends following usage? hash_hkdf('sha256', $weak_ikm, 9); // We can generate strong key easily, Nice! <= Must not do this. One could use Salt for the purposes of Info, but that would be misusing the > algorithm. > I totally agree. HKDF is specific about 'salt' and 'info' task. Salt is entropy to make input/output key strong/stronger. Info is for output key context. Over-focusing on Section 3.1 of the specification, while at the same time > ignoring Section 3.2 - arbitrarily making OptionalParamX mandatory because > the note about it mentions the word "security". Noble, but misguided. > What's the reason why you trying to disregard RFC 5869 strongly recommends? "designers of applications are therefore encouraged to provide salt values to HKDF if such values can be obtained by the application." It seems you're mixed up with "Implementation requirement" and "Parameter requirement/importance". After all, we are implementing RFC 5869, why we should not follow recommendation? > I'd have no problem if ALL of the params were made non-optional - I'm all > for that, but either do that or leave it untouched. > > * RFC 5869: https://tools.ietf.org/html/rfc5869 > While I don't mind requiring both 'salt' and 'info', I strongly disagree with the current parameter order and 'length' is pure optional parameter. 'info' is important but optional. 'salt' can only be optional when input key is absolutely cryptographically strong. Parameter order must reflect - importance of the parameter - likelihood to be used Salt is the most important for both input and output key security. Salt is mandatory and/or can be used for almost always with PHP. Salt usage results in better design/security. Salt is often used as final key as combined key. Does 'length' and/or 'info' achieve or designed for aboves? I don't think so. hash_hkdf() is generic API. $ikm cannot be strong key always. Assuming $ikm to be strong is simply wrong assumption. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11432912fc05540548125838--