Computer Science Wiki

Search

SearchSearch

HMAC Key Derivation Function (HKDF)

Sep 13, 20244 min read

HKDF is a Key Derivation Function (KDF) that is built on the concept of HMAC (Hash-based Message Authentication Code). It is typically for use with symmetric cryptographic algorithm. It is used to derive cryptographic keys from a given secrete material, such as a master key, in a secure and efficient manner.

What is PRF

Pseudo-Random Functions (PRFs) are fundamental cryptographic primitives used in various security protocols and constructions. PRFs take a secret key and a message as input and generate outputs (typically, the Pseudo-Random Key or PRK) that are indistinguishable from random outputs to an observer who does not know the function’s secret key. In the other word, the observer will not learn anything form the output if they don’t know the secret key. In PRF, the secret key should be uniformly random; uniformly random is defined as: you sample the key from the uniform distribution. i.e. You sample the secret key from a set where drawing each element is equally probable.

What is HMAC

The HMAC can be seen as a practical instantiation of a PRF, HMAC constructs a PRF by incorporating a secret key and employing a nested hash function to process the input message. The output of HMAC exhibits pseudo-random behaviour, meaning the output appears to be random to an observer who does not possess the secret key, even if the observer has unlimited computing power.

As long as your HMAC secret key is a secret, the output of HMAC can be generally treated as a PRF for all practical purposes.

What is KDF

KDF or Key Derivation Function, is a cryptographic function used to derive one or more secret keys from a piece of secret key input (Input Key Material (IKM)), such as a master key, or a password. Some common security properties of KDF includes:

  • Key independence
    • The derived keys should be independent of each other, meaning that knowledge of one derived key does not reveal information about the other keys
  • Pseudorandomness
    • The output key should be indistinguishable from random to an observer who does not know the Input material. This process is often expressed in terms of the KDF being a PRF
  • Key secret
    • The secret input material (e.g. the master key) should remain confidential and not to be revealed through the KDF or its output
  • Key recovery resistance
    • The KDF should be resilience when an attacker attempts to recover the secret input material even when they has obtained some derived keys and their corresponding contexts or public plain text materials

Enhanced KDF security

If you use KDF with a non-uniformly random IKM, you probably need the KDF security definition.

If the IKM used with the KDF is not uniformly random, the security properties of the KDF may be affected.

  • Pseudorandomness When the IKM is not uniformly random, for example, the input key material is generated from a low-entropy source, such as a short secret, it might lead to patterns or biases in the derived keys. If the input key material lacks randomness or exhibits patterns, it may make the derived keys predictable or distinguishable from random, compromising the pseudorandomness property of the KDF.
  • Key secret If the input key material is not uniformly random, it might be easier for an adversary to guess or infer the secret key, it could be vulnerable to brute-force or dictionary attacks which compromises the key secret security property of the KDF.

If your IKM is already uniformly random (i.e. the ‘key separation’ use case), you can get by with just a PRF security definition.

If the IKM used with the KDF is already uniformly random, you only need to concern the PRF used within the KDF.

Finally, the HKDF

HKDF is an HMAC based KDF that used to derive cryptographic key from the IKM such as a master key or password. HKDF consists of two main steps:

  • Extract: The extraction takes the IKM to produce a PRK using the HMAC construction. This process helps to eliminate any potential weaknesses in input material and ensure that the derived key has strong entropy.
    • The extract process is defined as PRK = HMAC-Hash(salt,IKM)
    • The salt is an optional, non-secret random value used for enchanted security
    • The input material is a IKM, which can be a master key or password
  • Expand: In the expansion step, the HDKF takes the PRK generated in the extraction step and uses it to generate one or more cryptographic keys or other secret values. The expansion allows for the generation of keys in different lengths.
    • The expand process is defined as output = HMAC-Hash(PRK, context||length)
    • The length specifies the desired length of the output
    • The context helps to ensure that the derived keys are unique and context-dependent

Back to parent page: Network Security and Cryptography

Cyber_SecuritySymmetric_cryptographyHMACHKDFMACPRFKDFsecret_keymaster_key_cryptography

Reference - https://soatok.blog/2021/11/17/understanding-hkdf/

Graph View

Backlinks