[noise] Minor KDF concern
trevp at trevp.net
Sat Jul 5 20:05:25 PDT 2014
On Sat, Jul 5, 2014 at 2:34 AM, Stephen Touset <stephen at squareup.com> wrote:
> While writing a basic implementation of Noise Boxes, I realized that the KDF
> doesn't mix the output length into the HMAC inputs. If you use the KDF to
> produce two keys of different lengths with the same secret, extra_data, and
> info parameters, the shorter key will be a prefix of the longer one.
> Does it make sense to append the key length to the message that is HMACed?
Good question. Currently that situation won't happen, because each
info (=SUITE_NAME || kdf_num) is only used with a single output_len.
If the KDF is used in a more general setting, I think I'd argue that
it's still the caller's responsibility to worry about this, by adding
whatever "info" is necessary to separate different KDF calls (which
could be a length field, or type fields as in Noise).
This is the same division of labor made by HKDF, which this is based
off. E.g. RFC 5869, section 3.2:
"It may also accommodate additional inputs to the key expansion part,
if so desired (e.g., an application may want to bind the key material
to its length L, thus making L part of the 'info' field)."
So to keep things simpler I'd lean towards *not* adding hashing of
output_len inside the KDF. Anyone disagree?
More information about the Noise