Hi Andrey, On Sun, Feb 5, 2017 at 3:21 AM, Andrey Andreev <n...@devilix.net> wrote:
> Have *you* read anything else in the RFC? > > The reason why its authors have to recommend salt usage is because it is > *otherwise the only optional part of the algorithm*. > Nonsense. You misread the RFC and my mail. Who stores plain text password in db now a days? It should be crypt() or hash_password(). The RFC obviously recommends salt for improved security. It's even clear from your misunderstood usage, plain text password ikm. Have you read my reply? Typical usage with per user encryption: 1) Get password stored in db (Which is crypt() or hash_password() obviously) 2) Use 1) as ikm to generate key 3) Use key from 2) to encrypt user data With this usage, all of users data is decrypted by attacker with SQL injection. Better usage is 1) Get password stored in db (Which is crypt() or hash_password() obviously) 2) Use 1) as ikm and "salt" to generate key (NOTE: One of the best place for salt storage is $_ENV) 3) Use key from 2) to encrypt user data Now attackers cannot decrypt sensitive data encrypted by the keys. There are many applications for HKDF. Typical HKDF usages with PHP can set salt. What's the reason why you insist and recommend vulnerable usage? Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
