Re: [PATCH 3/5] crypto: add RFC5869 HKDF
On Thu, Jan 07, 2021 at 08:53:15AM +0100, Stephan Mueller wrote: > > > > > RFC5869 > > > allows two optional parameters to be provided to the extract operation: > > > the salt and additional information. Both are to be provided with the > > > seed parameter where the salt is the first entry of the seed parameter > > > and all subsequent entries are handled as additional information. If > > > the caller intends to invoke the HKDF without salt, it has to provide a > > > NULL/0 entry as first entry in seed. > > > > Where does "additional information" for extract come from? RFC 5869 has: > > > > HKDF-Extract(salt, IKM) -> PRK > > > > Inputs: > > salt optional salt value (a non-secret random value); > > if not provided, it is set to a string of HashLen > > zeros. > > IKM input keying material > > > > There's no "additional information". > > I used the terminology from SP800-108. I will update the description > accordingly. For HKDF, it would be better to stick to the terminology used in RFC 5869 (https://tools.ietf.org/html/rfc5869), as generally that's what people are most familiar with for HKDF. It also matches the HKDF paper (https://eprint.iacr.org/2010/264.pdf) more closely. - Eric
Re: [PATCH 3/5] crypto: add RFC5869 HKDF
Am Mittwoch, dem 06.01.2021 um 23:30 -0800 schrieb Eric Biggers: > On Mon, Jan 04, 2021 at 10:49:13PM +0100, Stephan Müller wrote: > > RFC5869 specifies an extract and expand two-step key derivation > > function. The HKDF implementation is provided as a service function that > > operates on a caller-provided HMAC cipher handle. > > HMAC isn't a "cipher". > > > The extract function is invoked via the crypto_hkdf_setkey call. > > Any reason not to call this crypto_hkdf_extract(), to match the > specification? I named it to match the other KDF implementation. But you are right, I will name it accordingly. > > > RFC5869 > > allows two optional parameters to be provided to the extract operation: > > the salt and additional information. Both are to be provided with the > > seed parameter where the salt is the first entry of the seed parameter > > and all subsequent entries are handled as additional information. If > > the caller intends to invoke the HKDF without salt, it has to provide a > > NULL/0 entry as first entry in seed. > > Where does "additional information" for extract come from? RFC 5869 has: > > HKDF-Extract(salt, IKM) -> PRK > > Inputs: > salt optional salt value (a non-secret random value); > if not provided, it is set to a string of HashLen > zeros. > IKM input keying material > > There's no "additional information". I used the terminology from SP800-108. I will update the description accordingly. > > > > > The expand function is invoked via the crypto_hkdf_generate and can be > > invoked multiple times. This function allows the caller to provide a > > context for the key derivation operation. As specified in RFC5869, it is > > optional. In case such context is not provided, the caller must provide > > NULL / 0 for the info / info_nvec parameters. > > Any reason not to call this crypto_hkdf_expand() to match the specification? I will update the function name. Thanks Stephan > > - Eric
Re: [PATCH 3/5] crypto: add RFC5869 HKDF
On Mon, Jan 04, 2021 at 10:49:13PM +0100, Stephan Müller wrote: > RFC5869 specifies an extract and expand two-step key derivation > function. The HKDF implementation is provided as a service function that > operates on a caller-provided HMAC cipher handle. HMAC isn't a "cipher". > The extract function is invoked via the crypto_hkdf_setkey call. Any reason not to call this crypto_hkdf_extract(), to match the specification? > RFC5869 > allows two optional parameters to be provided to the extract operation: > the salt and additional information. Both are to be provided with the > seed parameter where the salt is the first entry of the seed parameter > and all subsequent entries are handled as additional information. If > the caller intends to invoke the HKDF without salt, it has to provide a > NULL/0 entry as first entry in seed. Where does "additional information" for extract come from? RFC 5869 has: HKDF-Extract(salt, IKM) -> PRK Inputs: salt optional salt value (a non-secret random value); if not provided, it is set to a string of HashLen zeros. IKM input keying material There's no "additional information". > > The expand function is invoked via the crypto_hkdf_generate and can be > invoked multiple times. This function allows the caller to provide a > context for the key derivation operation. As specified in RFC5869, it is > optional. In case such context is not provided, the caller must provide > NULL / 0 for the info / info_nvec parameters. Any reason not to call this crypto_hkdf_expand() to match the specification? - Eric