Re: [PATCH 3/5] crypto: add RFC5869 HKDF
From: Eric Biggers
Date: Thu Jan 07 2021 - 13:54:30 EST
On Thu, Jan 07, 2021 at 08:53:15AM +0100, Stephan Mueller wrote:
> >
> > > RFC5869
> > > allows two optional parameters to be provided to the extract operation:
> > > the salt and additional information. Both are to be provided with the
> > > seed parameter where the salt is the first entry of the seed parameter
> > > and all subsequent entries are handled as additional information. If
> > > the caller intends to invoke the HKDF without salt, it has to provide a
> > > NULL/0 entry as first entry in seed.
> >
> > Where does "additional information" for extract come from? RFC 5869 has:
> >
> > HKDF-Extract(salt, IKM) -> PRK
> >
> > Inputs:
> > salt optional salt value (a non-secret random value);
> > if not provided, it is set to a string of HashLen
> > zeros.
> > IKM input keying material
> >
> > There's no "additional information".
>
> I used the terminology from SP800-108. I will update the description
> accordingly.
For HKDF, it would be better to stick to the terminology used in RFC 5869
(https://tools.ietf.org/html/rfc5869), as generally that's what people are most
familiar with for HKDF. It also matches the HKDF paper
(https://eprint.iacr.org/2010/264.pdf) more closely.
- Eric