Hi fsb, On Tue, Jan 17, 2017 at 3:47 AM, fsb <f...@thefb.org> wrote: > > - when salt is ''(empty string), use default static known random salt >> value. >> Note: hkdf's salt could be known, yet provide stronger result as RFC >> states. >> > > This change renders the implementation nonstandard. And it's useless for > security. > > "Known" and "known to an attacker" are not the same. Alice and Bob must > know the salt to obtain the derived key. But if they use a well-known > standard value that everyone knows, the salt's purpose is defeated.
Right. Hardcoded salt only provides marginal improvement. e.g. Attackers have to build PHP specific dictionary. I don't insist to have hard coded one because it's not too effective. Let's not have it. > "Known" and "known to an attacker" are not the same. This is very important. I explained why I would like to make "salt parameter required" in reply for Nikita's post. IMO, most HKDF usage with PHP can have secret salt to improve security. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
