On Thu, Nov 27, 2025 at 09:24:43AM +0800, Li Tian wrote: > > Why do you think the salt needs to be at least 32 bytes? > > Forgive my inaccuracy. Under FIPS, salt needs to be at least the hash length > (32bytes for sha256 and 64bytes for sha512) because NIST requires that the > HMAC key used in Extract has *full security strength*. 32 is just the > number I > tested with. > > Li Tian
It seems that you're confusing the salt with the input keying material. The entropy for the key comes from the input keying material. The salt is a non-secret value that usually is just set to all-zeroes. In fact, both users of HKDF in the kernel just set it to all-zeroes. - Eric
