2018年11月19日 · (1) Run HKDF (extract-then-expand) with the scrypt result as input key material (ikm) and a NEW random salt for each file to be encrypted (2) Run HKDF (extract-then-expand) with the scrypt result as ikm, a FIXED random salt, and a …

2016年11月4日 · The HKDF scheme from RFC-5869 (and also NIST SP-800-56c) was originally proposed by Hugo Krawczyk in [1] as extract-then-expand KDF. As the name suggests, the function works in two steps. First, a key for key-derivation is extracted from the input keying material and a salt.

2015年5月29日 · I think HKDF is the easiest solution in my case. This explanation gives a clear definition of HKDF. In the case where the number of key bits requested from the KDF is equal to the hash output length (i.e. L = k in the definition), do I have to compute 2 HMACs: PRK = HMAC(XTS, SKM) and K(1) = HMAC(PRK, CTXinfo) or can I directly compute:

If all you're using HKDF for is deriving subkeys from a uniformly random master key, you don't really need the Extract part of HKDF. So you can simply use your master key directly as the IKM input to HKDF-Expand, and the serial number (plus possibly other identifying information , if you e.g. may need to derive multiple keys per card) as the ...

HKDF assumes that the salt is not attacker-chosen. If an attacker can influence the IV, then that's a definite no. OTOH, if the IV known to be completely independent of the key, it should be secure, since CTR doesn't place any requirements on the IV beyond uniqueness.

2018年4月16日 · The other, earlier half of HKDF is the HKDF-extract function, whose purpose is to take random inputs that are not directly suitable for use directly as cryptographic keys because they are biased, and output a master pseudorandom key ("PRK" in the RFC's terminology) that is suitable for direct use or further derivation. But PBKDF2 is already ...

That said, this particular pathology is fixed in Argon2, but HKDF-Expand may still be more convenient for labeling the subkeys by purpose. Summary: If you have a high min-entropy but nonuniform secret like a Diffie–Hellman shared secret, then use HKDF-Extract. If you have a low min-entropy secret like a password, use Argon2.

2021年2月24日 · How many different keys can be derived with HKDF before two outputs are identical? This question is about collision resistance, not about generating different keys with different parameters (eg. different salts/info parameters). For HKDF with SHA-256 would it be $2^{128}$ since the collision resistance of HMAC-SHA-256 is 128 bit?

2022年1月6日 · The Randomness Extraction and Key Derivation paper (linked to by the HKDF paper) states: In addition, the "monolithic" randomness assumption on a single (unkeyed) function such as SHA-1 is inappropriate for the setting of randomness extraction as no single function (even if fully random) can extract a close-to-uniform distribution from ...

2022年6月14日 · The HKDF paper provides as good a summary as any:. A Key derivation function (KDF) is a basic and essential component of cryptographic systems: Its goal is to take a source of initial keying material, usually containing some good amount of randomness, but not distributed uniformly or for which an attacker has some partial knowledge, and derive from it …