Password hashing / KDF

HKDF

HMAC-based Extract-and-Expand Key Derivation Function, by Hugo Krawczyk (CRYPTO 2010, RFC 5869). HKDF is the modern default fornon-passwordkey derivation: TLS 1.3, Signal, Noise, Tor, QUIC, WireGuard, and libsodium’s kdf module all use it.

At a glance

HKDF is NOT for passwords

HKDF runs in microseconds. It assumes the input key material already has high entropy (a Diffie-Hellman shared secret, a random session key). For deriving keys from passwords, use Argon2id, scrypt, or PBKDF2.

The two stages

1. Extract: PRK = HMAC(salt, IKM). Concentrates IKM entropy into a fixed-length PRK. Random salt makes HKDF a strong randomness extractor.
2. Expand: produce as many output bytes as needed by chaining HMACs. Each block T(i) = HMAC(PRK, T(i-1) ∥ info ∥ i).

The info field, domain separation

Reusing the same PRK for multiple keys is fine as long as info differs. Always include protocol name, version, and key purpose in info.

Where it is used

• TLS 1.3 , the entire key schedule is HKDF-SHA-256/384.
• Signal protocol , deriving message keys from the ratchet output.
• Noise framework , key derivation in every Noise handshake.
• QUIC , packet protection keys.
• WireGuard , key schedule.
• libsodium , crypto_kdf uses HKDF-SHA-512.

References

• RFC 5869 , HKDF
• Krawczyk , Cryptographic Extraction and Key Derivation: The HKDF Scheme (CRYPTO 2010)
• RFC 8446 §7 , TLS 1.3 key schedule using HKDF