2

Regarding HKDF, the specification says a salt may be re-used.

However, I have set up my system to generate a new, long and cryptographically random salt that persists with the user. This salt is not a secret. (See the RFC, section 3.1)

In addition, I am taking our unique user identifier and using it as context info for the third parameter in HKDF.

So our HKDF looks like this:

DK = HKDF(MasterKey, PublicUserSpecificSalt, UUID)

My questions are:

  1. Are there any issues with creating a random, user-specific salt, and using this for the salt input in HKDF? It seems the spec expects the salt to be re-used, which I am not doing.
  2. If I do use a random, user-specific salt, what is the benefit of the UUID as context info? Should I just remove it, since it would add unnecessary complexity?
R1w
  • 1,960
  • 4
  • 23
  • 45
jrl
  • 23
  • 3

1 Answers1

2

By HKDF, I guess you mean HKDF-Expand, which takes as input a pseudorandom key, a label, and the output length. A public label is OK, but it is better unique rather than random due to HKDF-Expand's pseudorandom function security. I think using UUID only as the label is good enough.

Shan Chen
  • 2,755
  • 1
  • 13
  • 19