Newsgroups: php.doc,php.internals Path: news.php.net Xref: news.php.net php.doc:969386555 php.internals:98804 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 28920 invoked from network); 14 Apr 2017 23:52:19 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 14 Apr 2017 23:52:19 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:53128] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D7/7A-31410-2B061F85 for ; Fri, 14 Apr 2017 19:52:19 -0400 Received: (qmail 23619 invoked by uid 89); 14 Apr 2017 23:52:14 -0000 Received: from unknown (HELO mail-qt0-f171.google.com) (yohgaki@ohgaki.net@209.85.216.171) by 0 with ESMTPA; 14 Apr 2017 23:52:14 -0000 Received: by mail-qt0-f171.google.com with SMTP id n46so72871266qta.2; Fri, 14 Apr 2017 16:52:14 -0700 (PDT) X-Gm-Message-State: AN3rC/4lY0VZyr3mdbYUuLoTWic+rTMCym0KLt4hV41KZN42DwhyovQk v3r/z5c5uZex7OAT9r84Tci9EmBIOw== X-Received: by 10.200.50.183 with SMTP id z52mr95506qta.272.1492213927978; Fri, 14 Apr 2017 16:52:07 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.27.179 with HTTP; Fri, 14 Apr 2017 16:51:27 -0700 (PDT) In-Reply-To: References: <0285A0ED-A39F-46C9-A927-3C786F2B256D@koalephant.com> <1924612862.1298112.1492071094545.JavaMail.zimbra@pieterhordijk.com> Date: Sat, 15 Apr 2017 08:51:27 +0900 X-Gmail-Original-Message-ID: Message-ID: To: Nikita Popov Cc: Pieter Hordijk , Joe Watkins , Andrey Andreev , "internals@lists.php.net" , PHP Documentation ML Content-Type: multipart/alternative; boundary=001a113a1dfa1b3018054d2921d4 Subject: Re: [PHP-DEV] [RFC][VOTE] Improve hash_hkdf() parameter From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a113a1dfa1b3018054d2921d4 Content-Type: text/plain; charset=UTF-8 Hi Nikita, On Fri, Apr 14, 2017 at 6:24 PM, Nikita Popov wrote: > Strong -1 on these docs changes. They are wrong and they will confuse > users about when and how HKDF should be used. > > I have no idea where you got the idea that HKDF is supposed to be used for > CSRF token generation, but it isn't. I did not check whether your code is > correct and secure, but CSRF token generation is certainly not a common or > typical application of HKDF and as such should not be present in the > documentation. > > Your "bad example" is actually pretty much the textbook use-case for HKDF. > The way you wrote it (get a AES-256 key from an AES-128 key) doesn't make > much sense, but the general principle of extracting two keys (for > encryption and authentication) from a single key is one of *the* use-cases > of HKDF. It is also, contrary to your statement in the documentation > snippet, perfectly cryptographically sound. A salt is not required for this > case. A salt *may* be beneficial, but for entirely different reasons (as > Scott pointed out, for many block cipher modes fixed encryption keys only > have a lifetime of around 2^64 encryptions, past which point IV collisions > are to be expected -- a salt in key derivation could mitigate this.) > It seems you consider HKDF as very specific function for very specific crypt task which is wrong by the RFC 5869 intention. The RFC 5869 explicitly mentions as 4. Applications of HKDF HKDF is intended for use in a wide variety of KDF applications. Why we must limit HKDF usage for certain crypt tasks even if it is designed for _general_ Key Derivation tasks? Key derivations in authentication is very common task. CSRF token is "Key that validates the _authentic_ request". It is obvious that expiration enabled URI specific CSRF token is a lot secure than common static CSRF tokens that are valid for all requests. How this could be bad example? 128 bit entropy key for AES 256 is simply bad practice like $aes256key = hash('sha256', 'mypassword', true); Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a113a1dfa1b3018054d2921d4--