HKDF is a simple key derivation function (KDF) based on HMACmessage authentication code.[1][2] It was initially proposed by its authors as a building block in various protocols and applications, as well as to discourage the proliferation of multiple KDF mechanisms.[2] The main approach HKDF follows is the "extract-then-expand" paradigm, where the KDF logically consists of two modules: the first stage takes the input keying material and "extracts" from it a fixed-length pseudorandom key, and then the second stage "expands" this key into several additional pseudorandom keys (the output of the KDF).[2]
It can be used, for example, to convert shared secrets exchanged via Diffie–Hellman into key material suitable for use in encryption, integrity checking or authentication.[1]
It is formally described in RFC 5869.[2] One of its authors also described the algorithm in a companion paper in 2010.[1]
NIST SP800-56Cr2[3] specifies a parameterizable extract-then-expand scheme, noting that RFC5869 HKDF is a version of it and citing its paper[1] for the rationale for the recommendations' extract-and-expand mechanisms.
HKDF extracts a pseudorandom key (PRK) using an HMAC hash function (e.g. HMAC-SHA256) on an optional salt (acting as a key) and any potentially weak input key material (IKM) (acting as data). It then generates similarly cryptographically strong output key material (OKM) of any desired length by repeatedly generating PRK-keyed hash-blocks and then appending them into the output key material, finally truncating to the desired length.
For added security, the PRK-keyed HMAC-hashed blocks are chained during their generation by appending the previous hash block with an incrementing 8-bit counter with an optional info string providing application-specific context before being hashed by HMAC to generate the current hash block.[2]
An important property of HKDF is that it does not amplify entropy but does allow a large source of weaker entropy to be utilised more evenly and effectively.[2]
Uses
HKDF has two primary and potentially independent uses:
To "extract" (condense/blend) entropy from a larger random source to provide a more uniformly unbiased and higher entropy but smaller output (e.g., an encryption key). This is done by utilising the diffusion properties of cryptographic MACs.
To "expand" the generated output of an already reasonably random input such as an existing shared key into a larger cryptographically independent output, thereby producing multiple keys deterministically from that initial shared key, so that the same process may produce those same secret keys safely on multiple devices, as long as the same inputs are utilised.
These two functions may also be combined and used to form a PRNG to improve a random number generator's potentially-biased output, as well as to protect it from analysis and help defend the random number generation from malicious inputs.
^ abcdKrawczyk, Hugo (2010). "Cryptographic Extraction and Key Derivation: The HKDF Scheme". Cryptology ePrint Archive. International Association for Cryptologic Research.
^ abcdefKrawczyk, H.; Eronen, P. (May 2010). "RFC 5869". Internet Engineering Task Force. doi:10.17487/RFC5869.
^Elaine Barker; Lily Chen; Richard Davis (August 2020). "NIST Special Publication 800-56C: Recommendation for Key-Derivation Methods in Key-Establishment Schemes". doi:10.6028/NIST.SP.800-56Cr2. {{cite journal}}: Cite journal requires |journal= (help)
^"A standalone Java 7 implementation of HMAC-based key derivation function". github.com. 27 September 2022.
^"Node.js implementation of RFC5869: HMAC-based Extract-and-Expand Key Derivation Function". npmjs.com.
^"hash_hkdf — Generate a HKDF key derivation of a supplied key input". php.net.
^"HMAC-based Extract-and-Expand Key Derivation Function (HKDF) implemented in Python". github.com. 17 March 2022.
January 23, 2023
hkdf, this, article, needs, additional, citations, verification, please, help, improve, this, article, adding, citations, reliable, sources, unsourced, material, challenged, removed, find, sources, news, newspapers, books, scholar, jstor, july, 2021, learn, wh. This article needs additional citations for verification Please help improve this article by adding citations to reliable sources Unsourced material may be challenged and removed Find sources HKDF news newspapers books scholar JSTOR July 2021 Learn how and when to remove this template message HKDF is a simple key derivation function KDF based on HMAC message authentication code 1 2 It was initially proposed by its authors as a building block in various protocols and applications as well as to discourage the proliferation of multiple KDF mechanisms 2 The main approach HKDF follows is the extract then expand paradigm where the KDF logically consists of two modules the first stage takes the input keying material and extracts from it a fixed length pseudorandom key and then the second stage expands this key into several additional pseudorandom keys the output of the KDF 2 It can be used for example to convert shared secrets exchanged via Diffie Hellman into key material suitable for use in encryption integrity checking or authentication 1 It is formally described in RFC 5869 2 One of its authors also described the algorithm in a companion paper in 2010 1 NIST SP800 56Cr2 3 specifies a parameterizable extract then expand scheme noting that RFC5869 HKDF is a version of it and citing its paper 1 for the rationale for the recommendations extract and expand mechanisms There are implementations of HKDF for C Go 4 Java 5 JavaScript 6 Perl PHP 7 Python 8 Ruby and other programming languages Contents 1 Mechanism 2 Uses 3 Example Python implementation 4 ReferencesMechanism EditHKDF extracts a pseudorandom key PRK using an HMAC hash function e g HMAC SHA256 on an optional salt acting as a key and any potentially weak input key material IKM acting as data It then generates similarly cryptographically strong output key material OKM of any desired length by repeatedly generating PRK keyed hash blocks and then appending them into the output key material finally truncating to the desired length For added security the PRK keyed HMAC hashed blocks are chained during their generation by appending the previous hash block with an incrementing 8 bit counter with an optional info string providing application specific context before being hashed by HMAC to generate the current hash block 2 An important property of HKDF is that it does not amplify entropy but does allow a large source of weaker entropy to be utilised more evenly and effectively 2 Uses EditHKDF has two primary and potentially independent uses To extract condense blend entropy from a larger random source to provide a more uniformly unbiased and higher entropy but smaller output e g an encryption key This is done by utilising the diffusion properties of cryptographic MACs To expand the generated output of an already reasonably random input such as an existing shared key into a larger cryptographically independent output thereby producing multiple keys deterministically from that initial shared key so that the same process may produce those same secret keys safely on multiple devices as long as the same inputs are utilised These two functions may also be combined and used to form a PRNG to improve a random number generator s potentially biased output as well as to protect it from analysis and help defend the random number generation from malicious inputs Example Python implementation Edit usr bin env python3 import hashlib import hmac from math import ceil hash len 32 def hmac sha256 key data return hmac new key data hashlib sha256 digest def hkdf length int ikm salt bytes b info bytes b gt bytes Key derivation function if len salt 0 salt bytes 0 hash len prk hmac sha256 salt ikm t b okm b for i in range ceil length hash len t hmac sha256 prk t info bytes i 1 okm t return okm length okm hkdf length 42 ikm bytes fromhex 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b salt bytes fromhex 000102030405060708090a0b0c info bytes fromhex f0f1f2f3f4f5f6f7f8f9 assert okm bytes fromhex 3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865 References Edit a b c d Krawczyk Hugo 2010 Cryptographic Extraction and Key Derivation The HKDF Scheme Cryptology ePrint Archive International Association for Cryptologic Research a b c d e f Krawczyk H Eronen P May 2010 RFC 5869 Internet Engineering Task Force doi 10 17487 RFC5869 Elaine Barker Lily Chen Richard Davis August 2020 NIST Special Publication 800 56C Recommendation for Key Derivation Methods in Key Establishment Schemes doi 10 6028 NIST SP 800 56Cr2 a href Template Cite journal html title Template Cite journal cite journal a Cite journal requires journal help package hkdf pkg go dev A standalone Java 7 implementation of HMAC based key derivation function github com 27 September 2022 Node js implementation of RFC5869 HMAC based Extract and Expand Key Derivation Function npmjs com hash hkdf Generate a HKDF key derivation of a supplied key input php net HMAC based Extract and Expand Key Derivation Function HKDF implemented in Python github com 17 March 2022 Retrieved from https en wikipedia org w index php title HKDF amp oldid 1118812596, wikipedia, wiki, book, books, library,
