HKDF (HMAC-based Key Derivation Function), defined by RFC 5869, derives high-quality subkeys from input keying material using an extract-and-expand design.

It is widely used in TLS 1.3, Noise, and Signal, and is ideal for deriving hierarchical keys from high-entropy shared secrets.

Extract Phase: HKDF-Extract(salt, IKM) -> PRK

The extract phase concentrates entropy into a fixed-length PRK:

• Provide IKM and optional salt (empty means HashLen zero bytes)
• Compute PRK = HMAC-Hash(salt, IKM)
• PRK length always equals hash output length

Expand Phase: HKDF-Expand(PRK, info, L) -> OKM

The expand phase iteratively generates output keying material of length L:

• Compute T(i) = HMAC-Hash(PRK, T(i-1) | info | counter)
• Concatenate T(1) ~ T(N) and truncate to OKM
• Maximum output length is 255 × HashLen bytes

Typical Use Cases

• TLS 1.3 key schedule and traffic key derivation
• Signal/Noise chain keys and message keys
• Purpose separation after ECDH shared secret generation
• Hierarchical subkey derivation from a master key

HKDF vs PBKDF2

Security Best Practices

• Do not use HKDF directly with weak passwords
• Use info for context binding and purpose separation
• Use distinct salts when deriving multiple keys from one IKM
• Avoid using PRK directly; derive final keys via expand