Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [hkdf]

HKDF is a key derivation function specified in RFC5869.

HKDF is a key derivation function, which can be used as a building block in protocols and applications. It is based upon HMAC and is specified in RFC 5869.

129 questions
13
votes
4 answers

Which risks are associated with deriving multiple keys from the same DH secret Z?

NIST recommends Krawczyk's HMAC-based key derivation function (HKDF) in SP-800-56C (PDF). HKDF shall e.g. be used to create keys from shared secrets after Diffie Hellman key establishment. NIST states in the same doc: Each call to the randomness…
NotACryptographer
  • 131
  • 1
  • 3
11
votes
1 answer

Can someone clarify two things about the HKDF by Krawczyk?

I got a question about the HKDF Scheme by Hugo Krawczyk. On the following link you can find a small explanation of the HKDF-Scheme and some short informations. The HKDF specification itself has been published as RFC 5869. I got two questions about…
chris000r
  • 519
  • 3
  • 15
11
votes
1 answer

PBKDF vs HKDF for pretty long key

I'm developing a messenger application with encrypted chats. In the first version of the app I've used PBKDF2 (10000 iterations, SHA1, random salt) to extend a short user password and generate keys to encrypt (AES256) and sign message (HMAC). In…
alexeylang
  • 113
  • 1
  • 5
8
votes
1 answer

HKDF randomness extraction - salt or no salt?

According to the HKDF paper, the use of a salt serves two purposes: domain separation and randomness extraction. This question is solely about the necessity of a salt for the purposes of randomness extraction. The HKDF paper states: a salt value…
knaccc
  • 4,880
  • 1
  • 18
  • 33
8
votes
2 answers

Do you really need a KDF when you have a PRF?

My understanding is that a KDF is like a PRF, except that it has a preliminary step that "extract" entropy. It is thus needed when the entropy is non-uniform (for example the output of ECDH is modulo a number that is not a power of 2, and is thus…
David 天宇 Wong
  • 1,595
  • 11
  • 27
8
votes
1 answer

How is HKDF-Expand better than a simple hash?

Why do we need HKDF-Expand if we can simply hash the pseudorandom key to make it longer? The docs (in the link) say: The second stage "expands" the pseudorandom key to the desired length... Is it only to allow for longer keys? So that if all we…
ispiro
  • 2,085
  • 2
  • 18
  • 29
7
votes
1 answer

Multiple AES Key Derivation from a master key

I need cryptography advice regarding this issue. Kamus is a service that encrypts secrets for applications running on Kubernetes. When using AES (actually, Rijndael) symmetric encryption, Kamus uses a single key to encrypt the secrets for all…
Omer Levi Hevroni
  • 173
  • 1
  • 5
7
votes
1 answer

What information to include is the 'info' input for HKDF?

The RFC states the following: 3.2. The 'info' Input to HKDF While the 'info' value is optional in the definition of HKDF, it is often of great importance in applications. Its main objective is to bind the derived key material to application- and…
hunter
  • 4,051
  • 6
  • 29
  • 42
7
votes
2 answers

Difference between RFC-5869 (HKDF) and SP800-108 (Nist's HMAC-based KDF spec)?

I'm trying to find the difference between the two aforementioned algorithms. It seems that one is either a subset of the other. Could someone explain the similarities/differences?
MarkP
  • 173
  • 1
  • 4
7
votes
1 answer

Why does HKDF use HMAC(salt, key) instead of HMAC(key, salt)?

I've been looking over the HKDF specs (RFC 5869), and something I noticed is that in the key and salt are reversed: 2.2. Step 1: Extract HKDF-Extract(salt, IKM) -> PRK Options: Hash a hash function; HashLen denotes the length of the …
Daan Bakker
  • 500
  • 2
  • 10
6
votes
1 answer

multiple keys via HKDF - whats better, one or two applications of HKDF-extract

Assume for the sake of the question that I have two variable-length bit strings, each with 128 bit cryptographic randomness, and I want to extract two 128 bit keys via HKDF-SHA256. Which alternative is better (if any), and why? Use a single…
Marc Lehmann
  • 225
  • 1
  • 4
6
votes
1 answer

repeated use of HKDF-extract on the same PRK

Regarding HKDF (RFC 5869) - HKDF has two steps, extract and expand. Some answers on this site suggest that you can extract once, and then generate multiple keys from the resulting PRK by multiple invocations of HKDF-expand (with different info…
Marc Lehmann
  • 225
  • 1
  • 4
6
votes
1 answer

Why derive keys from a master key instead of generating random keys?

I noticed AWS KMS generates encryption keys based off of a master key, using a key derivation function (HKDF). What's the practical advantage of deriving keys based on a master key? Isn't it simpler and typically more secure to just generate random…
Shruggie
  • 247
  • 3
  • 9
6
votes
1 answer

Computing IV for CBC from PBKDF2 + HKDF

Note that this question is somewhat similar to Can I use my random IV (for AES) as a salt for PBKDF2? My current encryption format computes two random PBKDF2 salts (encryption and HMAC, 8 bytes each) and also a random IV (16 bytes) to use with…
Rob Napier
  • 669
  • 3
  • 11
6
votes
1 answer

Risks of using SHA256 for key derivation

I'm working on a project where I need to derive several child keys from a parent key. I'm not a cryptography expert, so I'd really appreciate a simple explanation to help me understand the best practices and potential risks involved. Here's the…
BerryDelicious
  • 63
  • 4
1
2 3
8 9