Nikos Mavrogiannopoulos n.mavrogiannopoulos@gmail.com writes:
On Mon, 2017-05-22 at 19:09 +0200, Niels Möller wrote:
Is it required that hkdf_extract is used in some way to produce the key for hkdf_expand? Then I think the relation between _extract and _expand needs to be clarified. Would you always have the same number of calls to _extract and _expand, or could do _extract once and _expand multiple times (with different info string)?
I'm not sure what you mean. The relation is defined in HKDF document, though upper protocols like tls 1.3 may utilize these in arbitrary ways. Nettle provides the implementation of the primitives.
Sorry this got a bit stalled. I would like the Nettle docs to be reasonably self-contained, and explain what the primitive does, what problem it is intended to solve, and the typical way to use it. And in case terminology in the relevant RFC or other literature differs from what's used elsewhere in the Nettle manual, point of how they relate. In particuler, I found the "salt"/"key"/"secret" arguments a bit confusing, as well as the purpose of the _extract function.
With your current patch to the docs, I'll have to read the HKDF spec carefully myself to be able to review the code and the docs, and I haven't yet gotten the time to do that. Clear and more self-contained documentation would make this easier.
Best regards, /Niels
PS. I'm currently on vacation, i.e., no work duties in the way of Nettle hacking, but I'm a bit offline and not reading email daily.