New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: x/crypto/hkdf: Allow skipping the extract stage #28237
Comments
This is also useful to TLS 1.3, so I'm going to add the following two APIs:
By the way, you say "can be skipped if there is sufficient entropy in the input key material", but the criteria is not the amount of entropy (which does not increase with the Extract step), but the distribution and length of the value. |
Change https://golang.org/cl/144398 mentions this issue: |
RFC 5869, Section 3.3 suggests it might be sometimes appropriate to use Expand without Extract, and it is reasonable to reuse (secret, salt) with different info values, in which case the Extract can be performed once as an optimization. TLS 1.3 also needs direct access to both Extract and Expand. pseudorandomKey is ugly to look at, but that's intentional, as it signals that this should have non-obvious properties to the user. The docs will make it clear it's not the thing you should use in most cases. Fixes golang/go#28237 Change-Id: Ib43ae8cdde0663aa4752172c39aadfb0e1c35f10 Reviewed-on: https://go-review.googlesource.com/c/144398 Reviewed-by: Adam Langley <agl@golang.org>
RFC 5869, Section 3.3 suggests it might be sometimes appropriate to use Expand without Extract, and it is reasonable to reuse (secret, salt) with different info values, in which case the Extract can be performed once as an optimization. TLS 1.3 also needs direct access to both Extract and Expand. pseudorandomKey is ugly to look at, but that's intentional, as it signals that this should have non-obvious properties to the user. The docs will make it clear it's not the thing you should use in most cases. Fixes golang/go#28237 Change-Id: Ib43ae8cdde0663aa4752172c39aadfb0e1c35f10 Reviewed-on: https://go-review.googlesource.com/c/144398 Reviewed-by: Adam Langley <agl@golang.org>
RFC 5869, Section 3.3 suggests it might be sometimes appropriate to use Expand without Extract, and it is reasonable to reuse (secret, salt) with different info values, in which case the Extract can be performed once as an optimization. TLS 1.3 also needs direct access to both Extract and Expand. pseudorandomKey is ugly to look at, but that's intentional, as it signals that this should have non-obvious properties to the user. The docs will make it clear it's not the thing you should use in most cases. Fixes golang/go#28237 Change-Id: Ib43ae8cdde0663aa4752172c39aadfb0e1c35f10 Reviewed-on: https://go-review.googlesource.com/c/144398 Reviewed-by: Adam Langley <agl@golang.org>
RFC 5869, Section 3.3 suggests it might be sometimes appropriate to use Expand without Extract, and it is reasonable to reuse (secret, salt) with different info values, in which case the Extract can be performed once as an optimization. TLS 1.3 also needs direct access to both Extract and Expand. pseudorandomKey is ugly to look at, but that's intentional, as it signals that this should have non-obvious properties to the user. The docs will make it clear it's not the thing you should use in most cases. Fixes golang/go#28237 Change-Id: Ib43ae8cdde0663aa4752172c39aadfb0e1c35f10 Reviewed-on: https://go-review.googlesource.com/c/144398 Reviewed-by: Adam Langley <agl@golang.org>
RFC 5869, Section 3.3 suggests it might be sometimes appropriate to use Expand without Extract, and it is reasonable to reuse (secret, salt) with different info values, in which case the Extract can be performed once as an optimization. TLS 1.3 also needs direct access to both Extract and Expand. pseudorandomKey is ugly to look at, but that's intentional, as it signals that this should have non-obvious properties to the user. The docs will make it clear it's not the thing you should use in most cases. Fixes golang/go#28237 Change-Id: Ib43ae8cdde0663aa4752172c39aadfb0e1c35f10 Reviewed-on: https://go-review.googlesource.com/c/144398 Reviewed-by: Adam Langley <agl@golang.org>
RFC5869 suggests that the extract stage of HKDF's extract-and-expand process can be skipped if there is sufficient entropy in the input key material. Would it be worth providing a separate function for initializing the
hkdf
struct directly?The text was updated successfully, but these errors were encountered: