[Q] Question about the AEAD implementation key's expanding and re-hashing

[arthurkiller]

According to the document about AEAD in shadowsocks.org. HKDF_SHA1 is strong enough even if the in put key is weak.

But I get the code in ss-go2 that hashing and expanding the input key to requested key length first, then get the hashed key do the HKDF_SHA1 again to get the subkey for AEAD.

Why do this? And I can't see the document request for re-hashing & expanding for the key.

Only once HKDF operation is leaking safty?

Thx dude, waiting for reply.

@riobard

[riobard]

shadowsocks/shadowsocks-org#42

[dszhengyu]

@riobard I have talked with @arthurkiller
Still, we can't figure out why to expand the user password to the key length before apply the HKDF_SHA1 function
Nor I can find this mentioned in the document https://shadowsocks.org/en/spec/AEAD-Ciphers.html

[riobard]

Do you mean why we do this?

go-shadowsocks2/core/cipher.go

Line 88 in 3334af5

key = kdf(password, choice.KeySize)

Before SIP007 we used the key derived from password directly. SIP007 proposed to compute subkeys from that derived key.

In theory we could compute subkeys from password directly, but why bother? All SS crypto code deal with keys instead of passwords.