[ Index ]

PHP Cross Reference of MediaWiki-1.24.0

title

Body

[close]

/includes/utils/ -> MWCryptHKDF.php (summary)

[Source view] [Print] [Project Stats]

(no description)

File Size: 332 lines (11 kb)
Included or required:0 times
Referenced: 1 time
Includes or requires: 0 files

Defines 1 class

MWCryptHKDF:: (10 methods):
  __construct()
  __destruct()
  getSaltUsingCache()
  singleton()
  realGenerate()
  HKDF()
  HKDFExtract()
  HKDFExpand()
  generate()
  generateHex()


Class: MWCryptHKDF  - X-Ref

Extract-and-Expand Key Derivation Function (HKDF). A cryptographicly
secure key expansion function based on RFC 5869.

This relies on the secrecy of $wgSecretKey (by default), or $wgHKDFSecret.
By default, sha256 is used as the underlying hashing algorithm, but any other
algorithm can be used. Finding the secret key from the output would require
an attacker to discover the input key (the PRK) to the hmac that generated
the output, and discover the particular data, hmac'ed with an evolving key
(salt), to produce the PRK. Even with md5, no publicly known attacks make
this currently feasible.

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
http://www.gnu.org/copyleft/gpl.html

__construct( $secretKeyMaterial, $algorithm, $cache, $context )   X-Ref

param: string $secretKeyMaterial
param: string $algorithm Name of hashing algorithm
param: BagOStuff $cache
param: string|array $context Context to mix into HKDF context

__destruct()   X-Ref
Save the last block generated, so the next user will compute a different PRK
from the same SKM. This should keep things unpredictable even if an attacker
is able to influence CTXinfo.


getSaltUsingCache()   X-Ref
MW specific salt, cached from last run

return: string Binary string

singleton()   X-Ref
Return a singleton instance, based on the global configs.

return: HKDF

realGenerate( $bytes, $context = '' )   X-Ref
Produce $bytes of secure random data. As a side-effect,
$this->lastK is set to the last hashLen block of key material.

param: int $bytes Number of bytes of data
param: string $context Context to mix into CTXinfo
return: string Binary string of length $bytes

HKDF( $hash, $ikm, $salt, $info, $L )   X-Ref
RFC5869 defines HKDF in 2 steps, extraction and expansion.
From http://eprint.iacr.org/2010/264.pdf:

The scheme HKDF is specifed as:
HKDF(XTS, SKM, CTXinfo, L) = K(1) || K(2) || ... || K(t)
where the values K(i) are defined as follows:
PRK = HMAC(XTS, SKM)
K(1) = HMAC(PRK, CTXinfo || 0);
K(i+1) = HMAC(PRK, K(i) || CTXinfo || i), 1 <= i < t;
where t = [L/k] and the value K(t) is truncated to its first d = L mod k bits;
the counter i is non-wrapping and of a given fixed size, e.g., a single byte.
Note that the length of the HMAC output is the same as its key length and therefore
the scheme is well defined.

XTS is the "extractor salt"
SKM is the "secret keying material"

N.B. http://eprint.iacr.org/2010/264.pdf seems to differ from RFC 5869 in that the test
vectors from RFC 5869 only work if K(0) = '' and K(1) = HMAC(PRK, K(0) || CTXinfo || 1)

param: string $hash The hashing function to use (e.g., sha256)
param: string $ikm The input keying material
param: string $salt The salt to add to the ikm, to get the prk
param: string $info Optional context (change the output without affecting
param: int $L Number of bytes to return
return: string Cryptographically secure pseudorandom binary string

HKDFExtract( $hash, $salt, $ikm )   X-Ref
Extract the PRK, PRK = HMAC(XTS, SKM)
Note that the hmac is keyed with XTS (the salt),
and the SKM (source key material) is the "data".

param: string $hash The hashing function to use (e.g., sha256)
param: string $salt The salt to add to the ikm, to get the prk
param: string $ikm The input keying material
return: string Binary string (pseudorandm key) used as input to HKDFExpand

HKDFExpand( $hash, $prk, $info, $bytes, &$lastK = '' )   X-Ref
Expand the key with the given context

param: string $hash Hashing Algorithm
param: string $prk A pseudorandom key of at least HashLen octets
param: string $info Optional context and application specific information
param: int $bytes Length of output keying material in bytes
param: string &$lastK Set by this function to the last block of the expansion.
return: string Cryptographically secure random string $bytes long

generate( $bytes, $context )   X-Ref
Generate cryptographically random data and return it in raw binary form.

param: int $bytes The number of bytes of random data to generate
param: string $context String to mix into HMAC context
return: string Binary string of length $bytes

generateHex( $chars, $context = '' )   X-Ref
Generate cryptographically random data and return it in hexadecimal string format.
See MWCryptRand::realGenerateHex for details of the char-to-byte conversion logic.

param: int $chars The number of hex chars of random data to generate
param: string $context String to mix into HMAC context
return: string Random hex characters, $chars long


Generated: Fri Nov 28 14:03:12 2014 Cross-referenced by PHPXref 0.7.1