# HKDF > key derivation function based on a HMAC **Wikidata**: [Q24962849](https://www.wikidata.org/wiki/Q24962849) **Wikipedia**: [English](https://en.wikipedia.org/wiki/HKDF) **Source**: https://4ort.xyz/entity/hkdf ## Summary HKDF is a key derivation function based on HMAC that securely derives one or more secret keys from a secret value. It is formally defined in RFC 5869 as the HMAC-based Extract-and-Expand Key Derivation Function. HKDF is widely used in cryptographic protocols for key expansion and derivation. ## Key Facts - Instance of: key derivation function - Based on: HMAC (Hash-based Message Authentication Code) - Standard: RFC 5869 - Aliases: HMAC-based Extract-and-Expand Key Derivation Function - Wikipedia titles: HKDF - Available in: Czech (cs) and English (en) Wikipedia - Wikidata description: key derivation function based on a HMAC - Google Knowledge Graph ID: /g/11cn8z89br - Sitelink count: 2 ## FAQs ### Q: What is HKDF used for? A: HKDF is used to derive one or more secret keys from a secret value in cryptographic applications. It provides a secure way to expand keys for various purposes like encryption, authentication, and key exchange protocols. ### Q: How does HKDF differ from other key derivation functions? A: HKDF is specifically based on HMAC, making it both simple and cryptographically strong. Unlike some other KDFs, it uses a two-step process (extract-then-expand) that provides better security properties when the input key material may have low entropy. ### Q: What standard defines HKDF? A: HKDF is formally defined in RFC 5869, titled "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)." This RFC provides the complete specification and security analysis of the function. ## Why It Matters HKDF matters because it provides a standardized, well-analyzed method for deriving cryptographic keys from shared secrets or other key material. In modern cryptography, many protocols require multiple keys for different purposes (encryption, MAC, etc.) derived from a single shared secret. HKDF solves this problem efficiently and securely using HMAC as its core primitive. Its adoption in standards like TLS 1.3 and various other protocols demonstrates its practical importance. The function's design ensures that even if the input key material has low entropy, the derived keys will still be cryptographically strong, making it particularly valuable in real-world scenarios where perfect randomness cannot be guaranteed. ## Notable For - Standardized in RFC 5869 as the definitive HMAC-based key derivation function - Used in TLS 1.3 and other major cryptographic protocols - Provides extract-then-expand construction for better security properties - Simple implementation based on widely-available HMAC primitives - Supports both single and multiple key derivation from the same input ## Body ### Technical Foundation HKDF is built on HMAC, leveraging its collision resistance and pseudorandomness properties. The function operates in two distinct phases: extraction and expansion. ### Extraction Phase The extraction phase takes input key material (IKM) and optional salt to produce a pseudorandom key (PRK). This step is crucial when the IKM may have low entropy, as it "extracts" the entropy to produce a cryptographically strong PRK. ### Expansion Phase The expansion phase takes the PRK and expands it into the required output keying material (OKM) of arbitrary length. This is done using a configurable info parameter that allows context-specific derivation. ### Security Properties HKDF provides several important security guarantees: - Forward secrecy when used with ephemeral keys - Context binding through the info parameter - Resistance to length extension attacks - Proper handling of low-entropy input material ### Applications HKDF is used in numerous cryptographic protocols including: - TLS 1.3 key schedule - IKEv2 (Internet Key Exchange) - Various password-based key derivation schemes - Cryptographic protocol design where multiple keys are needed from a single secret