2020年10月16日 · The HKDF claims the salt is optional although using a random salt does strengthen it. I am confused that when is the scenario that an HKDF is required (especially without salt). If we already have a key with enough entropy, why we need it? If we have a weak key without enough entropy, how does HKDF (without salt) help this situation?

2018年11月19日 · (1) Run HKDF (extract-then-expand) with the scrypt result as input key material (ikm) and a NEW random salt for each file to be encrypted (2) Run HKDF (extract-then-expand) with the scrypt result as ikm, a FIXED random salt, and a …

2017年8月31日 · HKDF Implementations in Java No, Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF) has, like most KDFs, no standard implementation in JCA (as of 2020). There are some implementations embedded …

2016年11月4日 · The HKDF scheme from RFC-5869 (and also NIST SP-800-56c) was originally proposed by Hugo Krawczyk in [1] as extract-then-expand KDF. As the name suggests, the function works in two steps. First, a key for key-derivation is extracted from the input keying material and a salt.

HKDF assumes that the salt is not attacker-chosen. If an attacker can influence the IV, then that's a definite no. OTOH, if the IV known to be completely independent of the key, it should be secure, since CTR doesn't place any requirements on the IV beyond uniqueness.

2015年5月29日 · I think HKDF is the easiest solution in my case. This explanation gives a clear definition of HKDF. In the case where the number of key bits requested from the KDF is equal to the hash output length (i.e. L = k in the definition), do I have to compute 2 HMACs: PRK = HMAC(XTS, SKM) and K(1) = HMAC(PRK, CTXinfo) or can I directly compute:

2018年4月16日 · The other, earlier half of HKDF is the HKDF-extract function, whose purpose is to take random inputs that are not directly suitable for use directly as cryptographic keys because they are biased, and output a master pseudorandom key ("PRK" in the RFC's terminology) that is suitable for direct use or further derivation. But PBKDF2 is already ...

If all you're using HKDF for is deriving subkeys from a uniformly random master key, you don't really need the Extract part of HKDF. So you can simply use your master key directly as the IKM input to HKDF-Expand, and the serial number (plus possibly other identifying information , if you e.g. may need to derive multiple keys per card) as the ...

That said, this particular pathology is fixed in Argon2, but HKDF-Expand may still be more convenient for labeling the subkeys by purpose. Summary: If you have a high min-entropy but nonuniform secret like a Diffie–Hellman shared secret, then use HKDF-Extract. If you have a low min-entropy secret like a password, use Argon2.

2022年6月14日 · The HKDF paper provides as good a summary as any:. A Key derivation function (KDF) is a basic and essential component of cryptographic systems: Its goal is to take a source of initial keying material, usually containing some good amount of randomness, but not distributed uniformly or for which an attacker has some partial knowledge, and derive from it …