Hi, On Tue, Feb 7, 2017 at 10:22 PM, Scott Arciszewski <sc...@paragonie.com> wrote:
> > > Although the RFC itself says that salts are optional, the argument to make > them required in PHP's implementation has merit. The only downside is: If > you're integrating with an implementation that doesn't require salts, and > the application doesn't use salts, you're out of luck. Is that enough of a > downside to dismiss an argument for better security? Maybe. > > I said this in another thread already, but I'll re-iterate here ... Using a salt should be recommended, but the suggestion here takes that out of context and misses a key point - that the Length and Info params are not of any less importance overall. - Length is effectively the key size and is in fact not optional in RFC5869*. You have to really know what you're doing if you don't use it, and choose the hash function very carefully. I'd argue that if you know this well enough, you'd also know what to do with Salt. - Info is technically optional, but pretty much the feature why you'd choose HKDF over other KDFs. It's what makes HKDF's more useful in that it enables derivation of multiple OKMs from a single IKM. If you don't need Info, chances are you don't need HKDF. One could use Salt for the purposes of Info, but that would be misusing the algorithm. Over-focusing on Section 3.1 of the specification, while at the same time ignoring Section 3.2 - arbitrarily making OptionalParamX mandatory because the note about it mentions the word "security". Noble, but misguided. I'd have no problem if ALL of the params were made non-optional - I'm all for that, but either do that or leave it untouched. * RFC 5869: https://tools.ietf.org/html/rfc5869 Cheers, Andrey.
