Hi Nikita, On Sat, Mar 25, 2017 at 8:17 PM, Nikita Popov <nikita....@gmail.com> wrote:
> I cannot, however, entirely refrain from pointing out the irony of making > all parameters but $length required, while $length is actually the one > parameter that any reasonable use of this function must specify: otherwise > you would depend on the digest size of the hash function magically > coinciding with the key length of your cipher (for example). "info" is the what HKDF makes most important because HMAC does not separate 'secret' (derivation KEY or salt) and 'info' (non secret context). I fail to see the reason why "derivation KEY" being least important for generic KEY derivation function. I totally agree that 'modified length' is mandatory for 'specific crypto', but they are very limited. "length" cannot be most used option with almost all PHP applications. See list of possible PHP HKDF applications in the RFC. I cannot agree opinion that 'length' is the most important HKDF option. I could be wrong. Could you list applications that requires modified hash length that could make it most important for PHP apps? I didn't see any practical examples in discussion so far. Since hash_hkdf() only exists in PHP 7.1.2/7.1.3, if we are going to fix "insecure" and "inconsistent" signature, now is the only chance. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
