Applications in which you should/shouldn't use a salt with HKDF

nohatsatthetable

5/5/23, 7:38 PM

rfc5869 has the following to say about the use or lack thereof of salts with HKDF:

HKDF is defined to operate with and without random salt. This is done to accommodate applications where a salt value is not available. We stress, however, that the use of salt adds significantly to the strength of HKDF, ensuring independence between different uses of the hash function, supporting "source-independent" extraction, and strengthening the analytical results that back the HKDF design.

All of the above would make sense in the context of password hashing, but to my knowledge that's not an appropriate use of the HKDF function. It seems to suggest a salt is used to ensure two instances of the function do not return the same output key material when used with the same input key material; the only scenario (that I'm currently aware of) in which this might feasibly happen is when the IKM is a user generated password. So my questions are:

what does it mean for two uses of a hash function to be independent?
what is the meaning of "source independent extraction"?
what is a practical example of a use case in which a salt absolutely should be used with HKDF?

0 + 0

salt

hmac

hkdf

kelalaka

5/5/23, 8:11 PM

[Some answers here](https://crypto.stackexchange.com/q/76588/18298) and [Domain Separation](https://crypto.stackexchange.com/q/83306/18298) for hash functions. I found it broad question, though.

kelalaka

5/5/23, 8:38 PM

what does it mean for two uses of a hash function to be independent? "Domain seperation"

knaccc

5/6/23, 2:15 AM

Since the salt is for domain separation and for randomness extraction, I've asked this more specific question about just the randomness extraction part... https://crypto.stackexchange.com/questions/97980/hdkf-randomness-extraction-salt-or-no-salt

Score:2

Crypto

knaccc

5/6/23, 11:56 AM

The use of a salt serves two purposes: domain separation and randomness extraction.

If you are sure that your IKM (input keying material) is only being used in one "domain", you do not need a salt for the purposes of domain separation. Within the same domain, you instead use the info parameter to generate multiple keys from the same IKM for different contexts within the domain.

If your IKM is already uniformly random (such as when it is a uniformly random private key being used to derive sub-keys via HKDF), then you do not need a salt for the purposes of randomness extraction if the IKM is of sufficient bit length for your purposes.

Domain separation

Page 26 of the "Cryptographic Extraction and Key Derivation: The HKDF Scheme" paper (referred to as [HKDF-paper] in rfc5869) gives the following example of the necessity of domain separation:

The importance of such independence can be illustrated by the following “real-life” example... A Diffie-Hellman exchange is authenticated by signing the key $g^{xy}$. In actuality, what is signed is $H(g^{xy})$ for some hash function $H$, say SHA-1. If the signature allows for message recovery (e.g. RSA) then the attacker does not learn $g^{xy}$ but rather $H(g^{xy})$; thus if one thinks of $H$ as a random oracle then nothing is learned about $g^{xy}$. Now, suppose that the above protocol derives keys via a traditional KDF, namely, keys are computed as $H(g^{xy} \mathbin\| v)$ for some public values $v$. In this case, if we follow the $H$ = SHA-1 example and assume $g^{xy}$ is of length 1024, we get that computing $H(g^{xy}\mathbin\|v)$ is the same as computing $H$ on $v$ with the IV of $H$ set to $H(g^{xy})$ (for simplicity assume that the computation of $H$ on $g^{xy}$ does not use length appending). However, this means that the attacker learns all the keys since he knows $H(g^{xy})$! The failure of the protocol is not due to a specific weakness of $H$ but rather to the use of the same (deterministic) function for two different functionalities: the hash function applied to $g^{xy}$ and the KDF. In contrast, if one keyed $H$ via a salt value in its use by the KDF one would enforce independence between the two functionalities.

HDKF consists of two stages:

HKDF-Extract: PRK = HMAC-Hash(salt, IKM)
HKDF-Expand(PRK, info, L) -> OKM

(Where IKM is 'input keying material', PRK is 'a pseudorandom key', OKM is 'output keying material', L is the length of the desired output).

Therefore, if no salt were used, and the value of HMAC-Hash(NULL, IKM) were somehow leaked (e.g. in the "message recovery" scenario above), then all uses of HKDF later on using the same IKM and without salt would also be compromised.

If you do not need a salt for domain separation, then you should consider whether you need a salt for the purposes of randomness extraction. That question is posted here.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Applications in which you should/shouldn't use a salt with HKDF

TH: การใช้งานที่คุณควร/ไม่ควรใช้เกลือกับ HKDF

RO: Aplicații în care ar trebui/nu ar trebui să folosiți o sare cu HKDF

RU: Приложения, в которых вы должны/не должны использовать соль с HKDF

VI: Các ứng dụng mà bạn nên/không nên sử dụng muối với HKDF

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.