Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:98286
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 24647 invoked from network); 13 Feb 2017 02:15:49 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 13 Feb 2017 02:15:49 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:54534] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id ED/27-29023-1D611A85 for <internals@lists.php.net>; Sun, 12 Feb 2017 21:15:47 -0500
Received: (qmail 110973 invoked by uid 89); 13 Feb 2017 02:15:42 -0000
Received: from unknown (HELO mail-qt0-f175.google.com) (yohgaki@ohgaki.net@209.85.216.175)
  by 0 with ESMTPA; 13 Feb 2017 02:15:42 -0000
Received: by mail-qt0-f175.google.com with SMTP id x49so73315152qtc.2
        for <internals@lists.php.net>; Sun, 12 Feb 2017 18:15:41 -0800 (PST)
X-Gm-Message-State: AMke39nJfNzjGSEIBQgJ0MBeFQQ484VZM39o4hwaTyvPESJae1QdZHeJm4Ed8G422pCOoR/583Y1+8HyWsZ5pA==
X-Received: by 10.237.61.20 with SMTP id g20mr20408346qtf.272.1486952135708;
 Sun, 12 Feb 2017 18:15:35 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.19.232 with HTTP; Sun, 12 Feb 2017 18:14:55 -0800 (PST)
Date: Mon, 13 Feb 2017 11:14:55 +0900
X-Gmail-Original-Message-ID: <CAGa2bXa8Sqfp2TWtmqH_uAy9eG41zm523gy3+wt9n8TtJbMfWA@mail.gmail.com>
Message-ID: <CAGa2bXa8Sqfp2TWtmqH_uAy9eG41zm523gy3+wt9n8TtJbMfWA@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11432912d8ffb10548600590
Subject: [RFC][DISCUSSION] Improve hash_hkdf() parameter
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11432912d8ffb10548600590
Content-Type: text/plain; charset=UTF-8

Hi all,

First of all, sorry for hash_hkdf() parameter discussion mess.
I tried to described the issue clearly in the RFC. Although I've tried
not to be repetitive, there are in order to avoid unnecessary confusions.

hash_hkdf() is simple hash_hmac() extension that allows to add non secret
information(key context) to derive key(hash) from existing key. While
hash_hkdf()
is great function to implement various security features for web apps,
it has inadequate/insecure parameter order/requirement and return value
currently.

This RFC proposes function signature improvement and value returned
from the function, so that it has logical/consistent parameter order and
return value.

https://wiki.php.net/rfc/improve_hash_hkdf_parameter

It includes some useful example HKDF applications with PHP.

Since CSRF becomes one of the most serious threat in web app,
"Advanced CSRF token" example might be one of the most used
HKDF application with PHP. You may want to have a look the example
at least even if you are not interested in hash functions. I don't see
this kind of advanced CSRF token often.
https://wiki.php.net/rfc/improve_hash_hkdf_parameter#
example_4advanced_csrf_token

Please make sure to distinguish "HKDF implementation requirement
for specific application(usage)" and "General purpose HKDF function
design and best practice". I presume this was the cause of previous
discussion mess. (And my prejudice that fundamentals won't be mistaken)

If you find any wrong or unclear statement, please let me know. I'll fix
them
gladly. I appreciate any improvement suggestions. If you would like send
mail privately, I don't mind at all.

Thank you for reading long RFC.

TL;DR;
https://wiki.php.net/rfc/improve_hash_hkdf_parameter#current_status

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11432912d8ffb10548600590--