What is the reason that in the HKDF standard (RFC5869), in the "extract" phase, the 'salt" parameter is instantiated as HMAC key, and the secret keying material 'IKM' is instantiated as HMAC input data (so that the extract phase equation is PRK=HMAC(salt, IKM))? Especially, the RFC says that the salt, which plays the role of the key for the HMAC function, doesnt have to be secret at all. So it seems there is no security degradation if the key of the HMAC is known? and if the salt does not affect the security, why should it used anyway and not just do hash(IKM) instead of full HMAC?
Asked
Active
Viewed 82 times
2
-
Not a duplicate but contains more Multiple AES Key Derivation from a master key – kelalaka Jun 11 '20 at 19:40
-
1I suspect that the size is the reason, it's pretty easy to restrict the size of the salt, while the input keying material can be any size. Note that the HMAC key may need to be first hashed, then XOR'ed twice and then hashed twice again. – Maarten Bodewes Jun 11 '20 at 23:08