MediaWiki REL1_33
|
Public Member Functions | |
__construct ( $secretKeyMaterial, $algorithm, BagOStuff $cache, $context) | |
__destruct () | |
Save the last block generated, so the next user will compute a different PRK from the same SKM. | |
generate ( $bytes, $context='') | |
Produce $bytes of secure random data. | |
Static Public Member Functions | |
static | HKDF ( $hash, $ikm, $salt, $info, $L) |
RFC5869 defines HKDF in 2 steps, extraction and expansion. | |
Static Public Attributes | |
static int[] | $hashLength |
Round count is computed based on the hash'es output length, which neither php nor openssl seem to provide easily. | |
Protected Member Functions | |
getSaltUsingCache () | |
MW specific salt, cached from last run. | |
Protected Attributes | |
string | $algorithm = null |
The hash algorithm being used. | |
BagOStuff | $cache = null |
The persistent cache. | |
string | $cacheKey = null |
Cache key we'll use for our salt. | |
array | $context = [] |
a "context information" string CTXinfo (which may be null) See http://eprint.iacr.org/2010/264.pdf Section 4.1 | |
string | $lastK |
The last block (K(i)) of the most recent expanded key. | |
string | $salt = '' |
binary string, the salt for the HKDF | |
Static Private Member Functions | |
static | HKDFExpand ( $hash, $prk, $info, $bytes, &$lastK='') |
Expand the key with the given context. | |
static | HKDFExtract ( $hash, $salt, $ikm) |
Extract the PRK, PRK = HMAC(XTS, SKM) Note that the hmac is keyed with XTS (the salt), and the SKM (source key material) is the "data". | |
Private Attributes | |
string | $prk = '' |
The pseudorandom key. | |
string | $skm |
The secret key material. | |
Definition at line 33 of file CryptHKDF.php.
CryptHKDF::__construct | ( | $secretKeyMaterial, | |
$algorithm, | |||
BagOStuff | $cache, | ||
$context | |||
) |
string | $secretKeyMaterial | |
string | $algorithm | Name of hashing algorithm |
BagOStuff | $cache | |
string | array | $context | Context to mix into HKDF context |
InvalidArgumentException | if secret key material is too short |
Definition at line 109 of file CryptHKDF.php.
CryptHKDF::__destruct | ( | ) |
Save the last block generated, so the next user will compute a different PRK from the same SKM.
This should keep things unpredictable even if an attacker is able to influence CTXinfo.
Definition at line 129 of file CryptHKDF.php.
References cache.
CryptHKDF::generate | ( | $bytes, | |
$context = '' |
|||
) |
Produce $bytes of secure random data.
As a side-effect, $this->lastK is set to the last hashLen block of key material.
int | $bytes | Number of bytes of data |
string | $context | Context to mix into CTXinfo |
Definition at line 165 of file CryptHKDF.php.
References $context, and getSaltUsingCache().
|
protected |
MW specific salt, cached from last run.
Definition at line 139 of file CryptHKDF.php.
References cache.
Referenced by generate().
|
static |
RFC5869 defines HKDF in 2 steps, extraction and expansion.
From http://eprint.iacr.org/2010/264.pdf:
The scheme HKDF is specifed as: HKDF(XTS, SKM, CTXinfo, L) = K(1) || K(2) || ... || K(t) where the values K(i) are defined as follows: PRK = HMAC(XTS, SKM) K(1) = HMAC(PRK, CTXinfo || 0); K(i+1) = HMAC(PRK, K(i) || CTXinfo || i), 1 <= i < t; where t = [L/k] and the value K(t) is truncated to its first d = L mod k bits; the counter i is non-wrapping and of a given fixed size, e.g., a single byte. Note that the length of the HMAC output is the same as its key length and therefore the scheme is well defined.
XTS is the "extractor salt" SKM is the "secret keying material"
N.B. http://eprint.iacr.org/2010/264.pdf seems to differ from RFC 5869 in that the test vectors from RFC 5869 only work if K(0) = '' and K(1) = HMAC(PRK, K(0) || CTXinfo || 1)
string | $hash | The hashing function to use (e.g., sha256) |
string | $ikm | The input keying material |
string | $salt | The salt to add to the ikm, to get the prk |
string | $info | Optional context (change the output without affecting the randomness properties of the output) |
int | $L | Number of bytes to return |
Definition at line 215 of file CryptHKDF.php.
|
staticprivate |
Expand the key with the given context.
string | $hash | Hashing Algorithm |
string | $prk | A pseudorandom key of at least HashLen octets (usually, the output from the extract step) |
string | $info | Optional context and application specific information (can be a zero-length string) |
int | $bytes | Length of output keying material in bytes (<= 255*HashLen) |
string | &$lastK | Set by this function to the last block of the expansion. In MediaWiki, this is used to seed future Extractions. |
InvalidArgumentException |
Definition at line 250 of file CryptHKDF.php.
References $output.
|
staticprivate |
Extract the PRK, PRK = HMAC(XTS, SKM) Note that the hmac is keyed with XTS (the salt), and the SKM (source key material) is the "data".
string | $hash | The hashing function to use (e.g., sha256) |
string | $salt | The salt to add to the ikm, to get the prk |
string | $ikm | The input keying material |
Definition at line 231 of file CryptHKDF.php.
|
protected |
The hash algorithm being used.
Definition at line 48 of file CryptHKDF.php.
The persistent cache.
Definition at line 38 of file CryptHKDF.php.
|
protected |
Cache key we'll use for our salt.
Definition at line 43 of file CryptHKDF.php.
|
protected |
a "context information" string CTXinfo (which may be null) See http://eprint.iacr.org/2010/264.pdf Section 4.1
Definition at line 80 of file CryptHKDF.php.
|
static |
Round count is computed based on the hash'es output length, which neither php nor openssl seem to provide easily.
Definition at line 88 of file CryptHKDF.php.
|
protected |
The last block (K(i)) of the most recent expanded key.
Definition at line 72 of file CryptHKDF.php.
|
private |
The pseudorandom key.
Definition at line 59 of file CryptHKDF.php.
|
protected |
binary string, the salt for the HKDF
Definition at line 54 of file CryptHKDF.php.
|
private |
The secret key material.
This must be kept secret to preserve the security properties of this RNG.
Definition at line 67 of file CryptHKDF.php.