How stable are key derivation functions like HKDF?
Terry Chong
terry.y.t.chong at gmail.com
Wed May 3 15:37:01 UTC 2023
Thanks for answering!
Just curious, how do you enforce the output never changes, is there some programmatic way to do that?
> On May 3, 2023, at 6:54 AM, Viktor Dukhovni <openssl-users at dukhovni.org> wrote:
>
> On Wed, May 03, 2023 at 04:05:49PM +1000, pauli at openssl.org wrote:
>
>> They are never going to change in a way that breaks compatibility.
>
> The point being that HKDFs are used in key agreement protocols with
> independently implemented peers of unknown vintage. If the HKDF's
> output is ever to be a different function of its input, it is a new
> HKDF. In terms of CS type theory, an HKDF is a "pure function".
>
> The only reason that an HKDF *could* change would be if a bug were
> discovered in its implementation. In that unlikely scenario, a library
> might consider exposing the legacy (buggy) implementation for legacy
> purposes along with the fixed new version, if such a bug were to be
> discovered. Ideally, the implementations of basic HKDFs are, and
> indefinitely remain, correct.
>
> --
> Viktor.
More information about the openssl-users
mailing list