Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:98271 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 96584 invoked from network); 9 Feb 2017 12:52:36 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 9 Feb 2017 12:52:36 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:41444] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 6C/67-33872-2166C985 for ; Thu, 09 Feb 2017 07:52:35 -0500 Received: (qmail 104465 invoked by uid 89); 9 Feb 2017 12:52:30 -0000 Received: from unknown (HELO mail-qk0-f181.google.com) (yohgaki@ohgaki.net@209.85.220.181) by 0 with ESMTPA; 9 Feb 2017 12:52:30 -0000 Received: by mail-qk0-f181.google.com with SMTP id s186so2887912qkb.1 for ; Thu, 09 Feb 2017 04:52:29 -0800 (PST) X-Gm-Message-State: AMke39lAz9wM0KSkXNJkYDzEafUn/dJ8k0r1+QvbD7ucuQserHZhStTVP3a3sRUAAObqX679z+6fScrTbh2A4g== X-Received: by 10.55.67.135 with SMTP id q129mr2765821qka.98.1486644743657; Thu, 09 Feb 2017 04:52:23 -0800 (PST) MIME-Version: 1.0 Received: by 10.140.19.232 with HTTP; Thu, 9 Feb 2017 04:51:43 -0800 (PST) In-Reply-To: References: Date: Thu, 9 Feb 2017 21:51:43 +0900 X-Gmail-Original-Message-ID: Message-ID: To: Andrey Andreev Cc: Scott Arciszewski , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a1148a27ada945305481873bd Subject: Re: [PHP-DEV] hash_hkdf() signature From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a1148a27ada945305481873bd Content-Type: text/plain; charset=UTF-8 Hi Andrey, How the manual page would be. Would it be "Even though 'slat' is the last optional parameter that users may omit easily by mistake, users _must_ set strong salt for weak $ikm. This is mandatory requirement for HKDF to work. In addition, it is advices to set salt whenever possible as RFC 5689 recommends" It can't make sense for new function. On Thu, Feb 9, 2017 at 7:59 PM, Andrey Andreev wrote: > > The fact that you continue to talk about passwords and other low-entropy > data as IKM shows, yet again, that you don't understand HKDF. > It is simply not a password-based KDF; if you want that - use PBKDF2. > Please read Section 4* of the spec: https://tools.ietf.org/html/ > rfc5869.html#section-4 > PHP would not be a language that builds low level crypto library/feature. I'm not sure what you mean by this. What sentences you refer as I don't understand? I assumed you would like to derive human typable password because you prefer to have the most priority for "length". Do you have any typical "length" use with PHP? HKDF relies on PRK being cryptographically strong. Extract step PRK = HMAC-Hash(salt, IKM) You should understand users _must_ make sure either "salt" or "IKM" is strong for HKDF to work. Since hash_hkdf() is generic function, you never can make sure IKM to be strong always. With this fact alone, salt must have the most priority. > In fact, at one point I suggested the function be named just 'hkdf()' as a > way of discouraging such misuse, because a lot of people associate the word > "hash" with password handling. > > And this ... > > >> I suppose most developers will use 'length' for shorter length. >> i.e. Weaker output keys. If it's not too short, shorter key length works. >> >> > Shows that you shouldn't be trusted with anything related to cryptography > either. > I may be no cryptographer myself, but one thing I know for sure is that > shorter than required key lengths are *never* ok, and most encryption > algorithms have a *fixed* key length. > Are you assuming converting crypto keys to be other length would be the typical HKDF usage with PHP? Then, I have to say your assumption is wrong. It would be most used for CSRF key generation, object access control, e.g. AWS S3 presigned URL, or anything related to web app, not low level crypto. Discussion so far would not justify use of vulnerable, i.e. PRK could be weak very easily, signature. And you don't answer questions to you: ---------------- Why you recommends following usage? hash_hkdf('sha256', $weak_ikm, 9); // We can generate strong key easily, Nice! <= Must not do this. ---------------- ---------------- What's the reason why you trying to disregard RFC 5869 strongly recommends? ---------------- ---------------- Parameter order must reflect - importance of the parameter - likelihood to be used Salt is the most important for both input and output key security. Salt is mandatory and/or can be used for almost always with PHP. Salt usage results in better design/security. Salt is often used as final key as combined key. Does 'length' and/or 'info' achieve or designed for aboves? I don't think so. ---------------- ---------------- BTW, I don't think of typical PHP application that requires human typable short password with HKDF. What kind of application would be? ---------------- Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a1148a27ada945305481873bd--