Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add HKDF #94

Closed
wants to merge 8 commits into from
Closed

Add HKDF #94

wants to merge 8 commits into from

Conversation

chrysn
Copy link
Contributor

@chrysn chrysn commented Dec 19, 2020
edited
Loading

This is a cleaned-up version of what @marcovr did last year on HKDF support: Tests were moved into the test framework, components moved around a bit to match the conventional structure, a cose_crypto_is_hkdf function added.

Marco's implementation executes the the HKDF steps based on sodium's HMAC.

It does not attempt to be drivable over a scatter-gather IKM or salt; the used sodium API calls don't support it. While that would be desirable, neither is it implemented for other parts of libcose.

Closes: #90

ToDo (and thus marked WIP):

  • Explore whether this is not actually a generic implementation based on any HMAC backend
    • It is -- but the question is more "do we expect to have many HMAC backends and few that actually implement HKDF" / "does it pay off to pull out the general parts now"? (Can't tell on the former, but leaning towards no on the latter,)
  • Check implementation correctness
    • Check implementation completeness -- long salts simply err out
  • Check implementation code style
  • Try it out as a user

@chrysn chrysn marked this pull request as draft December 19, 2020 16:20
@chrysn
HKDF: Add void casts to pass builds without KDF backend
2fa5daf
@chrysn
HKDF: Fix selectors ifdefs, add selector
5162ec7 
There is no need for a selector on this branch, but one is coming up.
@chrysn chrysn mentioned this pull request Dec 21, 2020
Closed
@chrysn
Copy link
Contributor Author

chrysn commented Dec 21, 2020

I've now managed to use this from within libOSCORE, and it's working alright and produces correct values. (The sodium implementation fails to implement larger seeds, though).

Things I've observed:

  • Placing HKDF is a funny intermediate thing. Crypto primitive libraries tend not to offer it because it's easy enough for the user, so it doesn't fit well with the cose_crypto_ style parts -- but high-level COSE doesn't have a primitive for it either: It has a concept of HMACs (eg. algorithms 5, 6, 7) and of HKDF-based key derivation, but that's still a level higher up (-10, -11) that do use HKDF as a component.
    Not sure yet what to make out of this in terms of where to put it in here.
  • Streaming data into HKDFs is gon' be fun. The unbounded data can sit in the seed, the IKM or the info. For salt and IKM it's gonna be the same situation as with plain HMAC: salt (the HMAC's key) and IKM (the HMAC's input) might both be stream-worthy. For HMAC the sequence would be to stream in the key first (thus for HKDF, the salt), condensing it to one block size, and then the input (for HKDF, the IKM). Then, streaming in the info is even more fun, because that may be needed multiple times in a row, depending on the output size measured in block sizes.

With the streaming situation becoming complex, it may really be the better idea to implement HMAC streaming-ready (which is tricky on its own), and then to experiment with an HKDF API built on that, probably based on splitting the extract and expand steps.

That's all the streaming roadmap, anyway. If we're good with a v1 stream-free API, what's can be good enough. (Especially considering that cose_crypto_* is not really part of the public API but rather something I've coopted for my devious uses). So far, I'm getting away doing upper-bounds estimates all around.

chrysn added a commit to coap-security/liboscore that referenced this pull request May 11, 2021
@chrysn
libcose: Make HKDF inclusion conditional on libcose HKDF support
ddbe3b4 
Otherwise, just no algorithms will ever be shown as supported; the
ifdefs are necessary while HKDF support in libcose is not upstreamed yet
(see bergzand/libcose#94)
@chrysn chrysn mentioned this pull request May 12, 2021
Closed
@fjmolinas fjmolinas mentioned this pull request Feb 23, 2022
Merged
@fjmolinas
Copy link
Collaborator

#120 is in so this can be closed

@fjmolinas fjmolinas closed this Apr 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add direct KDFs
3 participants
@chrysn @fjmolinas @marcovr