Online HKDF derived key and verification tool, using the HMAC-based Extract-and-Expand Key Derivation Function algorithm, derives keys based on the input key and random salt, supports custom hash functions, derived key length, carried information and other parameters. Support online verification of HKDF derived keys.
A key derivation function (KDF) is a basic and essential component of cryptographic systems. Its goal is to take some source of initial keying material and derive from it one or more cryptographically strong secret keys. This document specifies a simple HMAC-based [HMAC] KDF, named HKDF, which can be used as a building block in various protocols and applications, and is already used in several IETF protocols, including [IKEv2], [PANA], and [EAP-AKA]. The purpose is to document this KDF in a general way to facilitate adoption in future protocols and applications, and to discourage the proliferation of multiple KDF mechanisms. It is not intended as a call to change existing protocols and does not change or update existing specifications using this KDF. HKDF follows the "extract-then-expand" paradigm, where the KDF logically consists of two modules. The first stage takes the input keying material and "extracts" from it a fixed-length pseudorandom key K. The second stage "expands" the key K into several additional pseudorandom keys (the output of the KDF). In many applications, the input keying material is not necessarily distributed uniformly, and the attacker may have some partial knowledge about it (for example, a Diffie-Hellman value computed by a key exchange protocol) or even partial control of it (as in some entropy-gathering applications). Thus, the goal of the "extract" stage is to "concentrate" the possibly dispersed entropy of the input keying material into a short, but cryptographically strong, pseudorandom key. In some applications, the input may already be a good pseudorandom key; in these cases, the "extract" stage is not necessary, and the "expand" part can be used alone. The second stage "expands" the pseudorandom key to the desired length; the number and lengths of the output keys depend on the specific cryptographic algorithms for which the keys are needed.
- Input Key Material : The input key, supports string, hex, and base64 formats.
- Algorithm : HKDF key derivation and verification hash algorithm, this tool supports MD2, MD4, MD5, SHA1, SHA224, SHA256, SHA384, SHA512, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SM3 .
- Skip Extract : Whether to skip the Extract phase of HKDF. In some applications, the input key material IKM may already be present as a cryptographically strong key (for example, the premaster secret in TLS RSA cipher suites would be a pseudorandom string, except for the first two octets). In this case, one can skip the extract part and use IKM directly to key HMAC in the expand step. On the other hand, applications may still use the extract part for the sake of compatibility with the general case.
- Derived Key Length : The bit length of the derived key, measured in bits, ranges from 8 to 1000000. The derived key length is a multiple of 8. The derived key length cannot exceed 255 * Hash Length Bits.
- Salt : Optional, random salt involved in HKDF calculation. Supports inputting random salt in string, hex, and base64 formats.
- Info : Optional, HKDF comes with an additional Info field. Supports string, hex, and base64 formats.
- Derived Key Format : The display or input format of derived key results supports hex and base64 formats.
- Charset : If the input salt or info or key format is string, charset parameters are required.
- Generate : Generate HKDF derived keys using the set parameters.
- Verify : Use the set parameters and the input derived key to verify if the input derived key is correct.
- HKDF Reference Documentation .
