| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <X/dYtjA6OJAKc3Pc@gmail.com>
Date: Thu, 7 Jan 2021 10:53:42 -0800
From: Eric Biggers <ebiggers@...nel.org>
To: Stephan Mueller <smueller@...onox.de>
Cc: herbert@...dor.apana.org.au, mathew.j.martineau@...ux.intel.com,
dhowells@...hat.com, linux-crypto@...r.kernel.org,
linux-fscrypt@...r.kernel.org, linux-kernel@...r.kernel.org,
keyrings@...r.kernel.org
Subject: Re: [PATCH 3/5] crypto: add RFC5869 HKDF
On Thu, Jan 07, 2021 at 08:53:15AM +0100, Stephan Mueller wrote:
> >
> > > RFC5869
> > > allows two optional parameters to be provided to the extract operation:
> > > the salt and additional information. Both are to be provided with the
> > > seed parameter where the salt is the first entry of the seed parameter
> > > and all subsequent entries are handled as additional information. If
> > > the caller intends to invoke the HKDF without salt, it has to provide a
> > > NULL/0 entry as first entry in seed.
> >
> > Where does "additional information" for extract come from? RFC 5869 has:
> >
> > HKDF-Extract(salt, IKM) -> PRK
> >
> > Inputs:
> > salt optional salt value (a non-secret random value);
> > if not provided, it is set to a string of HashLen
> > zeros.
> > IKM input keying material
> >
> > There's no "additional information".
>
> I used the terminology from SP800-108. I will update the description
> accordingly.
For HKDF, it would be better to stick to the terminology used in RFC 5869
(https://tools.ietf.org/html/rfc5869), as generally that's what people are most
familiar with for HKDF. It also matches the HKDF paper
(https://eprint.iacr.org/2010/264.pdf) more closely.
- Eric
Powered by blists - more mailing lists