HMAC Key Derivation function (HKDF) is used to derive an encryption key from a pass phrase. Initially HKDF creates a pseudorandom key (PRK) using a pass phrase and a salt value (and any other random functions which are relavent), in order to produce an HMAC hash function (such as HMAC-SHA256), andalong with a salt value. Next the PRK output is used to produce a key of the required length. If we generate a 16-byte output (32 hex characters), we have a 128-bit key, and a 32-byte output (64 hex characters) will generate a 256-bit key. HKDF is used in TLS 1.3 for generating encryption keys [RFC 5869][article]. In this case we will use SHA-256. Normally, for the derivation of a key from a password, the input to the HKDF method would be from an KDF, such as with PBKDF2, Argon2 or scrypt.
HKDF with PowerShell |
Method
The following shows how an encryption key can be generated using HKDF, and where we need a secret and a salt value. Both Bob and Alice have the same secret and salt. Normally, for the derivation of a key from a password, the input to the HKDF method would be from an KDF, such as with PBKDF2, Argon2 or scrypt.
The code is:
$word=$Args[0] $salt=$Args[1] "Input word: "+$word "Salt: "+$salt $enc = [System.Text.Encoding]::UTF8 $ikm = $enc.GetBytes($word) $salt=[Convert]::FromHexString($salt) $info=[Convert]::FromHexString("") $hash=[System.Security.Cryptography.HKDF]::DeriveKey([System.Security.Cryptography.HashAlgorithmName]::MD5,$ikm,32,$salt,$info) "HKDF (MD5) is "+[Convert]::ToHexString($hash) $hash=[System.Security.Cryptography.HKDF]::DeriveKey([System.Security.Cryptography.HashAlgorithmName]::SHA1,$ikm,32,$salt,$info) "HKDF (SHA1) is "+[Convert]::ToHexString($hash) $hash=[System.Security.Cryptography.HKDF]::DeriveKey([System.Security.Cryptography.HashAlgorithmName]::SHA256,$ikm,32,$salt,$info) "HKDF (SHA256) is "+[Convert]::ToHexString($hash) $hash=[System.Security.Cryptography.HKDF]::DeriveKey([System.Security.Cryptography.HashAlgorithmName]::SHA384,$ikm,32,$salt,$info) "HKDF (SHA384) is "+[Convert]::ToHexString($hash) $hash=[System.Security.Cryptography.HKDF]::DeriveKey([System.Security.Cryptography.HashAlgorithmName]::SHA512,$ikm,32,$salt,$info) "HKDF (SHA512) is "+[Convert]::ToHexString($hash)
A sample run is:
Input word: hello Salt: 8e94ef805b93e683ff18 HKDF (MD5) is 1A3F4398F3BB12A32FA827855AFEABB1293DE05A288AC65617B06FA9200449ED HKDF (SHA1) is 6DE55B4F04A54A32989EBE3E9FE8AD5C26E8BDA2E58280727268EAF06680857F HKDF (SHA256) is 13485067E21AF17C0900F70D885F02593C0E61E46F86450E4A0201A54C14DB76 HKDF (SHA384) is B3E0E2F0A14D03841B01C12286CB054D046C24B5C5910CC5904C9A984D9BF5C0 HKDF (SHA512) is 062B74C73BC4E84C8BA8D5DB945D36E304099C62FFCB79FAB7E1BD6BF71C1B03