Hi all,
On Sun, Mar 26, 2017 at 7:29 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> I suggest you to disclose the reason why against this change.
> Otherwise, you may be considered you don't understand crypto basic.
> i.e. HKDF(IKM) security depends on PRK being secure. To make PRK
> secure or more secure, "salt" parameter is required. "length" is
> irrelevant
> for security.
>
I'll try to explain a bit more by examples.
HKDF is designed to obtain the best possible "cryptographically strong
hash value" (key) for various key derivation operations. Current signature
could lead to insecure/wrong usages. (We have similar experience with
our PHP functions. e.g. uniqid, crypt, etc)
Example #1 : Deriving strong 256 bit AES key from 128 bit AES key.
$new_key = hash_hkdf('sha256', $AES_128bit_key, 32); // Derive 256 bit AES
key from 128 bit key
// No additional entropy, thus $new_key is not strong 256 bit AES key.
// Far from the best possible.
Users must not do this with HKDF. The same $new_key quality can
be obtained by simple SHA-256 hashing which is faster. Without
"strong derivation key", HKDF is not useful at all. The optimal way is
$new_key = hash_hkdf('sha256', $AES_128bit_key, 0, '',
$strong_derivation_key);
// where $strong_derivation_key = random_bytes(32); or like.
Example #2 : Deriving strong key from week key such as user entered password
$new_key = hash_hkdf('sha256', 'p@ssword');
// Almost the same as hash('sha256', 'p@ssword'); All of us should know how
bad this is.
// Far from the best possible.
Users must not do this with HKDF. The same could be done with simple hash().
Users must provide cryptographically strong derivation key, otherwise HKDF
is
useless.
$new_key = hash_hkdf('sha256', 'p@ssword', 0, '', $strong_derivation_key);
// where $strong_derivation_key = random_bytes(32); or like.
// Since input key material is weak, $strong_derivation_key must be secret
Example #3 : Deriving CSRF token from secret seed
$new_key = hash_hkdf('sha256', $secret_seed, 0, $version);
// Almost the same as hash('sha256', $secret_seed . $version);
// Far from the best possible.
Users must not do this with HKDF. The same could be done with simple hash().
Users must provide cryptographically strong derivation key, otherwise HKDF
is
useless.
$new_key = hash_hkdf('sha256', $secret_seed, 0, $version,
$strong_derivation_key);
// where $strong_derivation_key = random_bytes(32); or like.
There are looong lists of this kind of insecure/wrong usage with current
signature.
If you understand how to derive "strong key" by HKDF, you should realize
current hash_hkdf() function signature is far from the best.
Detailed rationale is explained the PHP RFC, but it seems many of us does
not
understand this. HKDF is supposed to derive "strong key", why should we
encourage "weak key" derivations with non optimal signature?
Regards,
P.S. I strongly objected the current signature before 7.1 merge. Shouldn't
committer write RFC before commit in the first place? Especially for
released versions.
--
Yasuo Ohgaki
yohg...@ohgaki.net
