The file_key derivation in MIP-04 v2 is sensitive to exact byte encoding of the HKDF context string:
file_key = HKDF-Expand(exporter_secret, "mip04-v2" || 0x00 || file_hash_bytes || 0x00 || mime_type_bytes || 0x00 || filename_bytes || 0x00 || "key", 32)
The metadata binding in the KDF (rather than AAD alone) is intentional — it provides a second layer of protection against nonce collision: two different files in the same epoch will have different keys even if a nonce collision occurs. However, this means subtle encoding differences between implementations will produce silently wrong keys and decryption failures.
Cases that need explicit test vectors:
- MIME type canonicalization:
"IMAGE/JPEG", "image/jpeg; charset=utf-8", "image/jpeg" should all produce the same key
- Filename encoding: Unicode filenames, spaces, special characters (e.g.
"café photo.jpg", "file name.png")
- Empty filename or MIME type (edge case — should this be rejected or handled?)
- File hash: ensure raw bytes (not hex-encoded) are used
- Null byte separators: verify
0x00 separator placement is unambiguous (e.g. empty filename shouldn't collapse separators)
- Known exporter secret input → expected
file_key output, end-to-end
Each vector should include the raw hex of the full HKDF info parameter so implementors can verify the context construction independently of the HKDF itself.
The file_key derivation in MIP-04 v2 is sensitive to exact byte encoding of the HKDF context string:
The metadata binding in the KDF (rather than AAD alone) is intentional — it provides a second layer of protection against nonce collision: two different files in the same epoch will have different keys even if a nonce collision occurs. However, this means subtle encoding differences between implementations will produce silently wrong keys and decryption failures.
Cases that need explicit test vectors:
"IMAGE/JPEG","image/jpeg; charset=utf-8","image/jpeg"should all produce the same key"café photo.jpg","file name.png")0x00separator placement is unambiguous (e.g. empty filename shouldn't collapse separators)file_keyoutput, end-to-endEach vector should include the raw hex of the full HKDF info parameter so implementors can verify the context construction independently of the HKDF itself.