1

I am using a PQ-KEM to get a 32 byte shared secret. I want to derive 2 keys , 1 for encryption of message using AES-CTR and another for HMAC-512. can I safely ignore salt and info parameter in hkdf-sha512 as they are marked optional?

I want to skip salt parameter because in https://datatracker.ietf.org/doc/html/rfc5869#section-3.4 it is given attacker must not manipulate salt parameter. in my application salt for hkdf , info parameter will be sent along with encrypted message with HMAC, however in recipient side before verification of HMAC , the salt and info values sent along with encrypted message has to be used to derive keys using hkdf to derive key to verify HMAC , only then i could authenticate salt , info and ciphertext. I guess this will make my crypto insecure am I correct?

vladmir illusinov
  • 49
  • 2

1 Answers1

1

You only need to use a salt if you need domain separation or randomness extraction (as you can see from the comments in the randomness extraction answer, it is questionable as to whether a salt is actually even needed for randomness extraction).

The info parameter will contain strings as defined in your protocol that will allow different keys to be derived from the same initial keying material at the HKDF-Expand step. Therefore, since the choice of info parameter values used to generate each key will be defined in your protocol, you should not be transmitting them.

knaccc
  • 4,732
  • 1
  • 16
  • 30
  • a small doubt since i am deriving 2 keys from a single shared secret do i need domain separation in hkdf , since each key is used for different purpose. – vladmir illusinov Jul 24 '22 at 15:40
  • 1
    @vladmirillusinov To answer, that would require full knowledge of your protocol and whether you were using that same shared secret elsewhere. To be safe, all you have to do is define a unique salt in your protocol. The salt would be exactly the same each time your protocol is used. The salt would be the same for generating each key, but the info string would be different for each key. – knaccc Jul 24 '22 at 16:14
  • will it be a problem if reciever gets encrypted message but salt gets modified by attacker in senario i mentioned in question as given here https://datatracker.ietf.org/doc/html/rfc5869#section-3.4 – vladmir illusinov Jul 25 '22 at 06:17
  • @vladmirillusinov If the salt is defined as part of your protocol, then you should not be sending the salt. Therefore, the attacker can't modify the salt and give the receiver a different salt. You probably don't need domain separation depending on how your PQ-KEM works and if you're not using the shared secret for any other purpose, which means the salt doesn't matter anyway. It's not a problem if the salt is modified unless the shared secret is being used in other contexts and an attacker can trick someone into using a salt to derive keys from your shared secret for use in a different domain – knaccc Jul 25 '22 at 08:32
  • I am actually creating new protocol from scratch , so salt is not defined as part of protocol. So attacker can easily modify salt. I will use shared secret only to derive key for encryption and key for HMAC ,i wont be using it for any other purpose, i wonder if in this case i need domain separation. – vladmir illusinov Jul 25 '22 at 15:50
  • @vladmirillusinov you should fully explain your proposed protocol, because the only reason domain separation exists is if there is something about your specific protocol that causes an issue. I'd recommend you define a salt in your protocol, because it costs you nothing and will be a safeguard against you missing something when designing your protocol. In general, it doesn't matter if the attacker uses the wrong salt, as long as the receiver uses the salt as defined in your protocol and the protocol aborts. I say "in general" because i have to guess about exactly what your protocol is – knaccc Jul 25 '22 at 16:31
  • I am sorry. My protocol is a simple one , since i am learning cryptography Alice generate a PQ private and public key pair. Bob recieves public key, which will contain public key , PQ crypto algorithm used. Bob verifies fingerprint by calculating sha512 hash of public key in hexdigest form and calling sender over phone. Now Bob will encrypt a shared secret of 32 bytes with Alice's public key. Bob will use hkdf with salt to derive 2 keys of 32bytes , one for encryption AES-CTR and another for HMAC-SHA256. IV will be generated randomly for AES-CTR. To be continued in next comment – vladmir illusinov Jul 26 '22 at 07:51
  • Bob sends encrypted message ( AES) , encrypted shared secret ( PQ encrypted only ), iv , salt for hkdf and hmac value in plaintext. Alice will use private key to get shared secret , then use salt which may be modified in transit. Alice generates encryption key and HMAC key from shared secret using hkdf. Alice verifies integrity of all values if everything is ok then decrypts encrypted message to get plaintext. I was wondering if i could skip salt or if usage of salt would lower security. – vladmir illusinov Jul 26 '22 at 07:52
  • @vladmirillusinov When using a salt for domain separation, it's not supposed to be unique to any sender or communication. It's supposed to be exactly the same for anyone that ever uses your protocol. So you should not be transmitting it. It would be a security issue if you did send it, because a sender could trick the recipient into using any salt the sender specified. I recommend that you do not skip the salt, and never transmit it (except when describing the general protocol to someone in a secure way). – knaccc Jul 26 '22 at 10:11
  • I will hardcode the random salt value for hkdf within my program , this will ensure everyone uses same salt for communication . Thank you. – vladmir illusinov Jul 26 '22 at 10:50