One such real-world use case: Defuse v1 used HKDF without a salt.
https://github.com/defuse/php-encryption/blob/b87737b2eec06b13f025cabea847338fa203d1b4/Crypto.php#L157-L170
https://github.com/defuse/php-encryption/blob/b87737b2eec06b13f025cabea847338fa203d1b4/Crypto.php#L358In version 2, we included a 32-byte random salt for each encryption,
which
was stored next to the AES-256-CTR nonce in the ciphertext. (Both the
nonce
and HKDF-salt, as well as the version information header, are covered
by
the HMAC of the ciphertext.)The end result: Instead of having to worry about birthday collisions
after
you've seen 2^64 AES outputs (because 128-bit randomly generated
nonce),
now you need 2^192 before you have a useful collision.
In this situation shouldn't you either use a longer random IKM or not
use HKDF at all?
If your IKM is so weak that it needs a salt then shouldn't you use an
iterated hash instead of HKDF?
Tom