26950 2014-10-02 04:14:15 +0000 Default HMAC keys should be output length, not block length 2014-10-22 21:32:38 +0000 1 1 1 Unclassified Web Cryptography Web Cryptography API Document unspecified PC All RESOLVED WONTFIX P2 normal --- 1 rlb sleevi public-webcrypto watsonm oldest_to_newest 112553 0 rlb 2014-10-02 04:14:15 +0000 Currently the HMAC Operations section for generateKey requires the default key length to be equal to the block size of the underlying hash algorithm. https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html#hmac-operations RFC 2104, which defines HMAC, says that there's no point to having keys longer than the *output* length of the hash (L): """ Keys longer than L bytes are acceptable but the extra length would not significantly increase the function strength. """ http://tools.ietf.org/html/rfc2104#section-3 The block length is typically much larger than the output length. In the case of SHA-256, for example, the block length is 512 bits. In order to avoid wasting bytes, the default key length for WebCrypto should be the output length of the hash. 112608 1 watsonm 2014-10-02 21:23:03 +0000 From Jeff Walton: "Another reason this could cause problems is SHA3. Its a recursive hash function, and not an iterative hash with block size." 112609 2 watsonm 2014-10-02 21:23:57 +0000 I think this is just a mistake and it should indeed be the output length. 112612 3 sleevi 2014-10-02 22:05:34 +0000 (In reply to Richard Barnes from comment #0) > Currently the HMAC Operations section for generateKey requires the default > key length to be equal to the block size of the underlying hash algorithm. > https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html#hmac- > operations > > RFC 2104, which defines HMAC, says that there's no point to having keys > longer than the *output* length of the hash (L): > """ > Keys longer than L bytes are acceptable but the extra > length would not significantly increase the function strength. > """ > http://tools.ietf.org/html/rfc2104#section-3 > > The block length is typically much larger than the output length. In the > case of SHA-256, for example, the block length is 512 bits. In order to > avoid wasting bytes, the default key length for WebCrypto should be the > output length of the hash. Can you describe what you mean by "wasting" bytes. The terminology implies a particular assumption about usage. Keys longer than B are compressed to L bytes (through an iteration of the hash), and keys less than L are dangerous. The choice of language was not accidental, and reflect the discussions within SP800-107 r1 (5.3.4 and 5.3.5). In these cases, the 'maximum' effective security strength for HMAC-SHA1/SHA-256/SHA-512 is 2C (where C = L, see the spec). If one generates a key of size L, it's effectively a key at half the length. The choice of using B, rather than L, was to generalize this across all constructions. Yes, there is limited value where B > 2C, but there is value with B > L, with all included hash functions having L <= C 113606 4 watsonm 2014-10-22 21:32:38 +0000 Closing as per conf call discussion.