rfc:improve_hash_hkdf_parameter

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

rfc:improve_hash_hkdf_parameter [2017/03/24 20:56] yohgakirfc:improve_hash_hkdf_parameter [2017/09/22 13:28] (current) – external edit 127.0.0.1
Line 2: Line 2:
   * Version: 1.0   * Version: 1.0
   * Create Date: 2017-02-05   * Create Date: 2017-02-05
-  * Discussion Start: 2017-02-13+  * Discussion Start: 2017-03-26
   * Author: Yasuo Ohgaki <yohgaki@ohgaki.net>   * Author: Yasuo Ohgaki <yohgaki@ohgaki.net>
-  * Status: Under Discussion+  * Status: Rejected
   * First Published at: http://wiki.php.net/rfc/improve_hash_hkdf_parameter   * First Published at: http://wiki.php.net/rfc/improve_hash_hkdf_parameter
  
Line 36: Line 36:
 Example 4: Example 4:
 <code php> <code php>
-  // $proto_version, $algo, $user_id are not secret.+  // $proto_version, $algo, $user_id are non-secret.
   $info = $proto_version . $algo . $user_id;   $info = $proto_version . $algo . $user_id;
  
Line 52: Line 52:
 </code> </code>
  
-Newly introduced HKDF function (hash_hkdf) has different signature currently.+Newly introduced HKDF function (hash_hkdf) has different signature that is inconsistent with hash() and hash_hmac() functions even if hash_hkdf() is simple hash_hmac() extension.
  
 ===== Proposal ===== ===== Proposal =====
Line 75: Line 75:
 </code> </code>
   * $salt: Required. Set empty string to use without salt. More precedence over $info because HKDF security depends on $salt or $ikm strength.   * $salt: Required. Set empty string to use without salt. More precedence over $info because HKDF security depends on $salt or $ikm strength.
-  * $info: Required. Set empty string to use without salt. Optional context but user should use hash_hmac() without $info.+  * $info: Required. Set empty string to use without info. Optional context but user should use hash_hmac() without $info.
   * $length: Optional. Mostly needless unless users need key derivations for low level crypto operations.   * $length: Optional. Mostly needless unless users need key derivations for low level crypto operations.
   * $raw_output: Optional. Added for hash API consistency. Specify return value format, raw(binary) or HEX. Majority of PHP use cases would require non binary output and HEX is good enough.   * $raw_output: Optional. Added for hash API consistency. Specify return value format, raw(binary) or HEX. Majority of PHP use cases would require non binary output and HEX is good enough.
  
 Note: Only changed/added parts are described. Note: Only changed/added parts are described.
 +
 +
 +=== Short Rationale - security, parameter importance, hash_hmac() signature ===
  
 Insecure usage is easily possible with current signature. Insecure usage is easily possible with current signature.
 <code php> <code php>
-$key = hash_hkdf('sha256', $weak_key); // Generate secure $key!! <= This isn't secure at all w/o strong salt. +$key = hash_hkdf('sha256', $weak_key); // Generate insecure $key!! <= This isn't secure at all w/o strong salt. 
-$key = hash_hkdf('sha256', $weak_key, 80); // Generate even more secure $key!! <= Length does not add strength to OKM. +$key = hash_hkdf('sha256', $weak_key, 80); // Generate even more insecure $key!! <= Length does not add strength to OKM. 
-$key = hash_hkdf('sha256', $weak_key, 80, 'Admin'); // Generate even more secure $key only usable in 'Admin' context!! <= info does not add strength to OKM because it supposed to be non secret.+$key = hash_hkdf('sha256', $weak_key, 80, 'Admin'); // Generate even more insecure $key only usable in 'Admin' context!! <= info does not add strength to OKM because it supposed to be non secret.
 </code> </code>
  
Line 283: Line 286:
   * When key(s) must be unique, either IKM or salt must be unique.   * When key(s) must be unique, either IKM or salt must be unique.
  
-Although it may seem IKM and salt is interchangeable, there is important difference that salt must be not be user controllable. salt and info may seem they are interchangeable. However unlike salt, info must always be non secret.  +Although it may seem IKM and salt is interchangeable, there is important difference that salt must be not be user controllable. salt and info may seem they are interchangeable. However unlike salt, info is supposed to be non secret.  
  
 ==== hash_hkdf() behavior and other hash functions ==== ==== hash_hkdf() behavior and other hash functions ====
Line 662: Line 665:
 ===== Backward Incompatible Changes ===== ===== Backward Incompatible Changes =====
  
-None. hash_hkdf() is new function.+It is merged into PHP 7.1.2.
  
 ===== Proposed PHP Version(s) ===== ===== Proposed PHP Version(s) =====
  
-Next PHP 7.x+Next PHP 7.x and 7.1.x
  
 ===== RFC Impact ===== ===== RFC Impact =====
  
-None.+PHP 7.1.2/7.1.3 has hash_hkdf().
  
 ===== Open Issues ===== ===== Open Issues =====
Line 678: Line 681:
 ===== Unaffected PHP Functionality ===== ===== Unaffected PHP Functionality =====
  
-Nothing is affected. hash_hkdf() is new function does not affect any.+Other than hash_hkdf() signature and return value, nothing is affected.
  
 ===== Future Scope ===== ===== Future Scope =====
Line 687: Line 690:
 State whether this project requires a 2/3 State whether this project requires a 2/3
  
 +<doodle title="Fix hash_hkdf() signature and behavior" auth="yohgaki" voteType="single" closed="true">
 +   * Yes
 +   * No
 +</doodle>
  
 +Vote start: 2017-03-26
 +Vote end: 2017-04-07 UTC 23:59:59
  
 ===== Patches and Tests ===== ===== Patches and Tests =====
rfc/improve_hash_hkdf_parameter.1490388981.txt.gz · Last modified: 2017/09/22 13:28 (external edit)