11 Matching Annotations
  1. Sep 2020
    1. ParseUasX‖Ywith|X|=d

      This is exactly the pattern of calls to the hash function inside HMAC: Hash( (K' xor opad) || Hash( (K' xor ipad) || m ) ).

      This clarifies that the simulator can only simulate calls to Hash that have this form, i.e. that are done from within HMAC. It cannot consistently simulate calls of a different form, i.e. that are done directly.

      The consequence for a protocol that uses this theorem for its security proof is that the hash function cannot be used directly for arbitrary calls.

    2. Another example is exactly the set of widestconsequence: the set of all keys of a fixed length that is less thand−1.

      This works because internally, the key will be padded up to the block length. Then, there will be at least one byte where the two different paddings can be distinguished.

  2. Aug 2020
    1. some applications may even have a secret salt value available for use; in such a case, HKDF provides an even stronger security guarantee.

      It seems to be ok to use a secret or something derived from a secret as salt.

  3. Apr 2020
    1. HMAC is used with all hash functions instead of allowing hashes to use a more specialized function (e.g. keyed BLAKE2), because: HKDF requires the use of HMAC

      This does not comment on the choice of HKDF over specialized hash function modes that are designed to be a KDF (like BLAKE3 seems to do). The comment “HMAC applies nested hashing to process each input. This "extra" hashing might mitigate the impact of hash function weakness.” applies on the level of HKDF, too.

  4. Mar 2020
    1. In the case of password-based KDFs, a main goal is to slow down dictionary attacks using two ingredients: a salt value, and the intentional slowing of the key derivation computation. HKDF naturally accommodates the use of salt; however, a slowing down mechanism is not part of this specification.
    2. Ideally, the salt value is a random (or pseudorandom) string of the length HashLen. Yet, even a salt value of less quality (shorter in size or with limited entropy) may still make a significant contribution to the security of the output keying material;
    3. (and adding 'info' as an input to the extract step is not advisable -- see [HKDF-paper]).