MediaWiki  master
Public Member Functions | Static Public Member Functions | Static Public Attributes | Protected Member Functions | Static Protected Member Functions | Protected Attributes | Static Protected Attributes | Static Private Member Functions | Private Attributes | List of all members
MWCryptHKDF Class Reference

Public Member Functions

static __construct ($secretKeyMaterial, $algorithm, $cache, $context)
 
 __destruct ()
 Save the last block generated, so the next user will compute a different PRK from the same SKM. More...
 

Static Public Member Functions

static generate ($bytes, $context)
 Generate cryptographically random data and return it in raw binary form. More...
 
static generateHex ($chars, $context= '')
 Generate cryptographically random data and return it in hexadecimal string format. More...
 
static HKDF ($hash, $ikm, $salt, $info, $L)
 RFC5869 defines HKDF in 2 steps, extraction and expansion. More...
 

Static Public Attributes

static $hashLength
 Round count is computed based on the hash'es output length, which neither php nor openssl seem to provide easily. More...
 

Protected Member Functions

 getSaltUsingCache ()
 MW specific salt, cached from last run. More...
 
 realGenerate ($bytes, $context= '')
 Produce $bytes of secure random data. More...
 

Static Protected Member Functions

static singleton ()
 Return a singleton instance, based on the global configs. More...
 

Protected Attributes

 $algorithm = null
 The hash algorithm being used. More...
 
 $cache = null
 The persistant cache. More...
 
 $cacheKey = null
 Cache key we'll use for our salt. More...
 
 $context = []
 a "context information" string CTXinfo (which may be null) See http://eprint.iacr.org/2010/264.pdf Section 4.1 More...
 
 $lastK
 The last block (K(i)) of the most recent expanded key. More...
 
 $salt
 binary string, the salt for the HKDF More...
 

Static Protected Attributes

static $singleton = null
 Singleton instance for public use. More...
 

Static Private Member Functions

static HKDFExpand ($hash, $prk, $info, $bytes, &$lastK= '')
 Expand the key with the given context. More...
 
static HKDFExtract ($hash, $salt, $ikm)
 Extract the PRK, PRK = HMAC(XTS, SKM) Note that the hmac is keyed with XTS (the salt), and the SKM (source key material) is the "data". More...
 

Private Attributes

 $prk
 The pseudorandom key. More...
 
 $skm
 The secret key material. More...
 

Detailed Description

Definition at line 33 of file MWCryptHKDF.php.

Constructor & Destructor Documentation

static MWCryptHKDF::__construct (   $secretKeyMaterial,
  $algorithm,
  $cache,
  $context 
)
Parameters
string$secretKeyMaterial
string$algorithmName of hashing algorithm
BagOStuff$cache
string | array$contextContext to mix into HKDF context
Exceptions
MWException

Definition at line 107 of file MWCryptHKDF.php.

References $algorithm, $cache, $context, cache, and wfMemcKey().

MWCryptHKDF::__destruct ( )

Save the last block generated, so the next user will compute a different PRK from the same SKM.

This should keep things unpredictable even if an attacker is able to influence CTXinfo.

Definition at line 129 of file MWCryptHKDF.php.

References cache.

Member Function Documentation

static MWCryptHKDF::generate (   $bytes,
  $context 
)
static

Generate cryptographically random data and return it in raw binary form.

Parameters
int$bytesThe number of bytes of random data to generate
string$contextString to mix into HMAC context
Returns
string Binary string of length $bytes

Definition at line 311 of file MWCryptHKDF.php.

References $context.

static MWCryptHKDF::generateHex (   $chars,
  $context = '' 
)
static

Generate cryptographically random data and return it in hexadecimal string format.

See MWCryptRand::realGenerateHex for details of the char-to-byte conversion logic.

Parameters
int$charsThe number of hex chars of random data to generate
string$contextString to mix into HMAC context
Returns
string Random hex characters, $chars long

Definition at line 323 of file MWCryptHKDF.php.

References $context, and realGenerate().

Referenced by MWCryptHKDFTest\testGenerate().

MWCryptHKDF::getSaltUsingCache ( )
protected

MW specific salt, cached from last run.

Returns
string Binary string

Definition at line 139 of file MWCryptHKDF.php.

References $salt, cache, and MWCryptRand\generate().

Referenced by realGenerate().

static MWCryptHKDF::HKDF (   $hash,
  $ikm,
  $salt,
  $info,
  $L 
)
static

RFC5869 defines HKDF in 2 steps, extraction and expansion.

From http://eprint.iacr.org/2010/264.pdf:

The scheme HKDF is specifed as: HKDF(XTS, SKM, CTXinfo, L) = K(1) || K(2) || ... || K(t) where the values K(i) are defined as follows: PRK = HMAC(XTS, SKM) K(1) = HMAC(PRK, CTXinfo || 0); K(i+1) = HMAC(PRK, K(i) || CTXinfo || i), 1 <= i < t; where t = [L/k] and the value K(t) is truncated to its first d = L mod k bits; the counter i is non-wrapping and of a given fixed size, e.g., a single byte. Note that the length of the HMAC output is the same as its key length and therefore the scheme is well defined.

XTS is the "extractor salt" SKM is the "secret keying material"

N.B. http://eprint.iacr.org/2010/264.pdf seems to differ from RFC 5869 in that the test vectors from RFC 5869 only work if K(0) = '' and K(1) = HMAC(PRK, K(0) || CTXinfo || 1)

Parameters
string$hashThe hashing function to use (e.g., sha256)
string$ikmThe input keying material
string$saltThe salt to add to the ikm, to get the prk
string$infoOptional context (change the output without affecting the randomness properties of the output)
int$LNumber of bytes to return
Returns
string Cryptographically secure pseudorandom binary string

Definition at line 245 of file MWCryptHKDF.php.

References $prk, and $salt.

Referenced by MWCryptHKDFTest\testRfc5869().

static MWCryptHKDF::HKDFExpand (   $hash,
  $prk,
  $info,
  $bytes,
$lastK = '' 
)
staticprivate

Expand the key with the given context.

Parameters
string$hashHashing Algorithm
string$prkA pseudorandom key of at least HashLen octets (usually, the output from the extract step)
string$infoOptional context and application specific information (can be a zero-length string)
int$bytesLength of output keying material in bytes (<= 255*HashLen)
string&$lastKSet by this function to the last block of the expansion. In MediaWiki, this is used to seed future Extractions.
Returns
string Cryptographically secure random string $bytes long
Exceptions
MWException

Definition at line 280 of file MWCryptHKDF.php.

References $hashLength, $lastK, $output, and $prk.

static MWCryptHKDF::HKDFExtract (   $hash,
  $salt,
  $ikm 
)
staticprivate

Extract the PRK, PRK = HMAC(XTS, SKM) Note that the hmac is keyed with XTS (the salt), and the SKM (source key material) is the "data".

Parameters
string$hashThe hashing function to use (e.g., sha256)
string$saltThe salt to add to the ikm, to get the prk
string$ikmThe input keying material
Returns
string Binary string (pseudorandm key) used as input to HKDFExpand

Definition at line 261 of file MWCryptHKDF.php.

References $salt.

MWCryptHKDF::realGenerate (   $bytes,
  $context = '' 
)
protected

Produce $bytes of secure random data.

As a side-effect, $this->lastK is set to the last hashLen block of key material.

Parameters
int$bytesNumber of bytes of data
string$contextContext to mix into CTXinfo
Returns
string Binary string of length $bytes

Definition at line 194 of file MWCryptHKDF.php.

References $context, $salt, and getSaltUsingCache().

Referenced by generateHex().

static MWCryptHKDF::singleton ( )
staticprotected

Return a singleton instance, based on the global configs.

Returns
self
Exceptions
MWException

Definition at line 162 of file MWCryptHKDF.php.

References $cache, $context, $wgHKDFAlgorithm, $wgHKDFSecret, $wgSecretKey, ObjectCache\getLocalServerInstance(), and global.

Member Data Documentation

MWCryptHKDF::$algorithm = null
protected

The hash algorithm being used.

Definition at line 53 of file MWCryptHKDF.php.

Referenced by __construct().

MWCryptHKDF::$cache = null
protected

The persistant cache.

Definition at line 43 of file MWCryptHKDF.php.

Referenced by __construct(), and singleton().

MWCryptHKDF::$cacheKey = null
protected

Cache key we'll use for our salt.

Definition at line 48 of file MWCryptHKDF.php.

MWCryptHKDF::$context = []
protected

a "context information" string CTXinfo (which may be null) See http://eprint.iacr.org/2010/264.pdf Section 4.1

Definition at line 80 of file MWCryptHKDF.php.

Referenced by __construct(), generate(), generateHex(), realGenerate(), and singleton().

MWCryptHKDF::$hashLength
static
Initial value:
= [
'md5' => 16

Round count is computed based on the hash'es output length, which neither php nor openssl seem to provide easily.

Definition at line 86 of file MWCryptHKDF.php.

Referenced by HKDFExpand().

MWCryptHKDF::$lastK
protected

The last block (K(i)) of the most recent expanded key.

Definition at line 74 of file MWCryptHKDF.php.

Referenced by HKDFExpand().

MWCryptHKDF::$prk
private

The pseudorandom key.

Definition at line 63 of file MWCryptHKDF.php.

Referenced by HKDF(), and HKDFExpand().

MWCryptHKDF::$salt
protected

binary string, the salt for the HKDF

Definition at line 58 of file MWCryptHKDF.php.

Referenced by getSaltUsingCache(), HKDF(), HKDFExtract(), and realGenerate().

MWCryptHKDF::$singleton = null
staticprotected

Singleton instance for public use.

Definition at line 38 of file MWCryptHKDF.php.

MWCryptHKDF::$skm
private

The secret key material.

This must be kept secret to preserve the security properties of this RNG.

Definition at line 69 of file MWCryptHKDF.php.

The documentation for this class was generated from the following file: