How stable are key derivation functions like HKDF?
Viktor Dukhovni
openssl-users at dukhovni.org
Wed May 3 13:47:34 UTC 2023
On Wed, May 03, 2023 at 04:05:49PM +1000, pauli at openssl.org wrote:
> They are never going to change in a way that breaks compatibility.
The point being that HKDFs are used in key agreement protocols with
independently implemented peers of unknown vintage. If the HKDF's
output is ever to be a different function of its input, it is a new
HKDF. In terms of CS type theory, an HKDF is a "pure function".
The only reason that an HKDF *could* change would be if a bug were
discovered in its implementation. In that unlikely scenario, a library
might consider exposing the legacy (buggy) implementation for legacy
purposes along with the fixed new version, if such a bug were to be
discovered. Ideally, the implementations of basic HKDFs are, and
indefinitely remain, correct.
--
Viktor.
More information about the openssl-users
mailing list