rfc:improve_hash_hkdf_pramater
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
rfc:improve_hash_hkdf_pramater [2017/02/05 04:14] – yohgaki | rfc:improve_hash_hkdf_pramater [2017/02/05 06:30] – yohgaki | ||
---|---|---|---|
Line 98: | Line 98: | ||
- Get the secret password hash generated by hash_password() for the user. $ikm | - Get the secret password hash generated by hash_password() for the user. $ikm | ||
- Get application secret salt stored in secure place. e.g. $_ENV $salt | - Get application secret salt stored in secure place. e.g. $_ENV $salt | ||
- | - Generate HKDF hash value with 1 and 2. hash_hkdf(' | + | - Generate HKDF hash value with 1 and 2. < |
- Encrypt the user data with the key from 3 | - Encrypt the user data with the key from 3 | ||
Line 125: | Line 125: | ||
Setting up CSRF token | Setting up CSRF token | ||
- Get expiration timestamp. ($salt) | - Get expiration timestamp. ($salt) | ||
- | - Generate HKDF value with 1 and session ID ($ikm). | + | - Generate HKDF value with 1 and session ID ($ikm). |
- Send key from 2 and timestamp from 1 to browser as CSRF token. | - Send key from 2 and timestamp from 1 to browser as CSRF token. | ||
Line 131: | Line 131: | ||
- Get HKDF key and timestamp($salt) value from request. | - Get HKDF key and timestamp($salt) value from request. | ||
- Check if timestamp is not expired. | - Check if timestamp is not expired. | ||
- | - Generate HKDF value from session ID($ikm) and timestamp($salt). | + | - Generate HKDF value from session ID($ikm) and timestamp($salt). |
- Compare HKDF value sent by browser and server generated HKDF value if it matches. | - Compare HKDF value sent by browser and server generated HKDF value if it matches. | ||
Line 142: | Line 142: | ||
https:// | https:// | ||
- | Therefore, use of session ID as CSRF token key source is not recommended. You are better to use separate key for CSRF token generation in $_SESSION. e.g. $_SESSION[' | + | Therefore, use of session ID as CSRF token key source is not recommended. You are better to use separate key for CSRF token generation in $_SESSION. e.g. $_SESSION[' |
==Use of info parameter== | ==Use of info parameter== | ||
Line 150: | Line 150: | ||
===== Proposal ===== | ===== Proposal ===== | ||
- | Internet RFC clearly recommends " | + | Internet RFC clearly recommends " |
Change hash_hkdf() signature from | Change hash_hkdf() signature from | ||
Line 167: | Line 167: | ||
From user perspective, | From user perspective, | ||
- | Unlike " | + | Unlike " |
Typical PHP applications that need HKDF can use (or should use) salt for security reasons as examples above. Users should consider if salt can be used or not. If use of salt is impossible, then it should set to be empty. Users shouldn' | Typical PHP applications that need HKDF can use (or should use) salt for security reasons as examples above. Users should consider if salt can be used or not. If use of salt is impossible, then it should set to be empty. Users shouldn' |
rfc/improve_hash_hkdf_pramater.txt · Last modified: 2017/09/22 13:28 by 127.0.0.1