Re: [webauthn] Can the private keys be used for other cryptographic operations? (#1595) from Emil Lundberg via GitHub on 2021-04-30 (public-webauthn@w3.org from April 2021)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Fri, 30 Apr 2021 11:32:28 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-830031946-1619782346-sysbot+gh@w3.org>

It is constructed on top the [`hmac-secret` CTAP extension](https://fidoalliance.org/specs/fido-v2.1-rd-20210309/#sctn-hmac-secret-extension), yes, but that doesn't mean it's a message authentication algorithm. `hmac-secret` "is used by the platform to retrieve a symmetric secret from the authenticator", and the PRF extension in turn uses that to construct pseudo-random functions on top of it. See also for example [HKDF](https://tools.ietf.org/html/rfc5869), which similarly constructs a key derivation/expansion algorithm on top of HMAC.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1595#issuecomment-830031946 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 30 April 2021 11:32:31 UTC