Hi, On Fri, Sep 8, 2017 at 12:32 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > > The reason why latter is a lot more secure is related to Andrey's > misunderstanding. > He said "when ikm is cryptographically strong, salt wouldn't add no more > entropy. > so salt does not matter". (not exact sentence) > What he said partially true, but wrong in a sense of key security. >
I have never said that. You are aware enough of your own English fluency, and should know not to perephrase other people's words, as you are completely twisting their meaning. > > Other misunderstanding should be noted is what HKDF for. It's for general > purpose KDF as the RFC described in HKDF application section. Andrey said > "I'm cherry picking sentence", but the section should be what the HKDF for. > The section even describes obscure usage, HKDF for CSPRNG. This usage > is not even key derivation. > You ARE cherry-picking, and ignoring all evidence that contradicts you: > This one I'm not sure misunderstanding or not, but probably it is. > HKDF is designed for any ikm and works with appropriate usage. Very > weak ikm like user entered password can be handled relatively safely. > > $safe_key = hash_hkdf("sha256", 'mypassword', 0, '', > $csprng_generated_random_key); > // $csprng_generated_random_key should be kept secret because ikm is too > weak > > Without salt, it's disaster. Please note that salt is the last optional > parameter currently. > > $dangerous_key = hash_hkdf("sha256", 'mypassword'); // Disaster! > > With this usage, attackers can build pre hashed dictionary. Even when they > don't have > dictionary, usual brute force attack is very effective. One may think > additional hashing > would mitigate risk. i.e. > > $dangerous_key = hash_hkdf("sha256", hash("sha256", 'mypassword')); // > Disaster! > > This does not help much when algorithm is known to attackers. Brute force > attack is > effective still. Adding secret salt(key) helps with this usage also. > IKM must always be strong; this is explicitly stated in the RFC, as I already pointed out here: https://externals.io/message/98639#98874 And the reasons why were already explained in very simple terms here: https://externals.io/message/98250#98272 Enough already. Cheers, Andrey. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php