Hi all and Scott, On Wed, Feb 8, 2017 at 11:22 PM, Scott Arciszewski <sc...@paragonie.com> wrote:
> On Wed, Feb 8, 2017 at 6:27 AM, Andrey Andreev <n...@devilix.net> wrote: > >> Hi, >> >> On Tue, Feb 7, 2017 at 10:22 PM, Scott Arciszewski <sc...@paragonie.com> >> wrote: >> >>> >>> >>> Although the RFC itself says that salts are optional, the argument to >>> make them required in PHP's implementation has merit. The only downside is: >>> If you're integrating with an implementation that doesn't require salts, >>> and the application doesn't use salts, you're out of luck. Is that enough >>> of a downside to dismiss an argument for better security? Maybe. >>> >>> >> I said this in another thread already, but I'll re-iterate here ... Using >> a salt should be recommended, but the suggestion here takes that out of >> context and misses a key point - that the Length and Info params are not of >> any less importance overall. >> >> - Length is effectively the key size and is in fact not optional in >> RFC5869*. You have to really know what you're doing if you don't use it, >> and choose the hash function very carefully. I'd argue that if you know >> this well enough, you'd also know what to do with Salt. >> - Info is technically optional, but pretty much the feature why you'd >> choose HKDF over other KDFs. It's what makes HKDF's more useful in that it >> enables derivation of multiple OKMs from a single IKM. If you don't need >> Info, chances are you don't need HKDF. >> >> One could use Salt for the purposes of Info, but that would be misusing >> the algorithm. >> Over-focusing on Section 3.1 of the specification, while at the same time >> ignoring Section 3.2 - arbitrarily making OptionalParamX mandatory because >> the note about it mentions the word "security". Noble, but misguided. >> >> I'd have no problem if ALL of the params were made non-optional - I'm all >> for that, but either do that or leave it untouched. >> >> * RFC 5869: https://tools.ietf.org/html/rfc5869 >> >> Cheers, >> Andrey. >> > > > Given everything discussed in this sub-thread so far, I would be in favor > of making everything non-optional. > I'm OK with making 'salt' and 'info' required. Users should consider 'info'(key context) could be used almost always before omitting it. I suppose most developers will use 'length' for shorter length. i.e. Weaker output keys. If it's not too short, shorter key length works. I'm not sure if shorter output key length, that would weaken the key, does any good in general . Note: longer output key does not make output key stronger. It may hide used hash function, though. Most use cases would be AWS S3 pre-signed URL like usage that users do not have to care long keys. With such use cases, users are better to use key as is. i.e. Use default hash output length. There may be vote option for length, but I'm in favor of leave it as optional. I do care about parameter order, but what to be required is not too much concern to me. Regards, BTW, I don't think of typical PHP application that requires human typable short password with HKDF. What kind of application would be? Thank you. -- Yasuo Ohgaki yohg...@ohgaki.net
