HKDF

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

HKDF is a simple key derivation function (KDF) based on HMAC message authentication code.[1][2] It was initially proposed by its authors as a building block in various protocols and applications, as well as to discourage the proliferation of multiple KDF mechanisms.[2] The main approach HKDF follows is the "extract-then-expand" paradigm, where the KDF logically consists of two modules: the first stage takes the input keying material and "extracts" from it a fixed-length pseudorandom key, and then the second stage "expands" this key into several additional pseudorandom keys (the output of the KDF).[2]

It can be used, for example, to convert shared secrets exchanged via Diffie–Hellman into key material suitable for use in encryption, integrity checking or authentication.[1]

It is formally described in the RFC 5869.[2] One of its authors also described the algorithm in a companion paper in 2010.[1]

NIST SP800-56Cr2[3] specifies a parameterizable extract-then-expand scheme, noting that RFC5869 HKDF is a version of it and citing its paper[1] for the rationale for the recommendations' extract-and-expand mechanisms.

There are implementations of HKDF for C#, Go,[4] Java,[5] JavaScript,[6] Perl, PHP,[7] Python,[8] Ruby, and other programming languages.

Mechanism[edit]

HKDF extracts a pseudorandom key (PRK) using an HMAC hash function (e.g. HMAC-SHA256) on an optional salt (acting as a key) and any potentially weak input key material (IKM) (acting as data). It then generates similarly cryptographically strong output key material (OKM) of any desired length by repeatedly generating PRK-keyed hash-blocks and then appending them into the output key material, finally truncating to the desired length.

For added security, the PRK-keyed HMAC-hashed blocks are chained during their generation by appending the previous hash block with an incrementing 8-bit counter with an optional context string in the middle[clarification needed] before being hashed by HMAC to generate the current hash block.[citation needed]

An important property of HKDF is that it does not amplify entropy but does allow a large source of weaker entropy to be utilised more evenly and effectively.[citation needed]

Uses[edit]

HKDF has two primary and potentially independent uses:

  1. To "extract" (condense/blend) entropy from a larger random source to provide a more uniformly unbiased and higher entropy but smaller output (e.g., an encryption key). This is done by utilising the diffusion properties of cryptographic MACs.
  2. To "expand" the generated output of an already reasonably random input such as an existing shared key into a larger cryptographically independent output, thereby producing multiple keys deterministically from that initial shared key, so that the same process may produce those same secret keys safely on multiple devices, as long as the same inputs are utilised.

These two functions may also be combined and used to form a PRNG to improve a random number generator's potentially-biased output, as well as to protect it from analysis and help defend the random number generation from malicious inputs.

Example: Python implementation[edit]

#!/usr/bin/env python3
import hashlib
import hmac
from math import ceil

hash_len = 32


def hmac_sha256(key, data):
    return hmac.new(key, data, hashlib.sha256).digest()


def hkdf(length: int, ikm, salt: bytes = b"", info: bytes = b"") -> bytes:
    """Key derivation function"""
    if len(salt) == 0:
        salt = bytes([0] * hash_len)
    prk = hmac_sha256(salt, ikm)
    t = b""
    okm = b""
    for i in range(ceil(length / hash_len)):
        t = hmac_sha256(prk, t + info + bytes([i + 1]))
        okm += t
    return okm[:length]


okm = hkdf(length=42,
           ikm=bytes.fromhex('0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b'),
           salt=bytes.fromhex('000102030405060708090a0b0c'),
           info=bytes.fromhex('f0f1f2f3f4f5f6f7f8f9'))
assert okm == bytes.fromhex(
    '3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865')

References[edit]

  1. ^ a b c d Krawczyk, Hugo (2010). "Cryptographic Extraction and Key Derivation: The HKDF Scheme". Cryptology ePrint Archive. International Association for Cryptologic Research.
  2. ^ a b c d Krawczyk, H.; Eronen, P. (May 2010). "RFC 5869". Internet Engineering Task Force.
  3. ^ Elaine Barker; Lily Chen; Richard Davis (August 2020). "NIST Special Publication 800-56C: Recommendation for Key-Derivation Methods in Key-Establishment Schemes".
  4. ^ "package hkdf". pkg.go.dev.
  5. ^ "A standalone Java 7 implementation of HMAC-based key derivation function". github.com.
  6. ^ "Node.js implementation of RFC5869: HMAC-based Extract-and-Expand Key Derivation Function". npmjs.com.
  7. ^ "hash_hkdf — Generate a HKDF key derivation of a supplied key input". php.net.
  8. ^ "HMAC-based Extract-and-Expand Key Derivation Function (HKDF) implemented in Python". github.com.