The analysis and implementation of HKDF algorithm for information digest algorithm VI

HKDF is a specific key-derived function (KDF), the function of the initial keying material, from which the KDF derives one or more strong cryptographic keys. What we want to describe here is the HMAC-based HKDF.

1 , HKDF Overview

A key derivation function (KDF) is an essential part of a cryptography system. Its goal is to acquire some initial keying material and derive one or more security-strong keys from it.

We're going to introduce the HMAC-based KDF, called HKDF, which can be applied to a variety of protocols and application constructs. The HKDF is logically composed of two parts. The first section takes the input keying material and "extract", which is a fixed-length pseudo-random key K. The second part expands the key to several random keys and outputs it at the length we need.

In many applications, the keying material that is entered is not necessarily evenly distributed, and the attacker may have some knowledge of it, and can even partially control it. Therefore, the goal of the "extract" phase is to "centralize" the possible scattered entropy of the input keying material into a short, but high-intensity pseudo-random key. In some applications, the input may already be a good pseudo-random key; In these cases, the extract section is unnecessary and the Extensions section can be used alone.

The second stage "extends" the pseudo-random key to the desired length, and the number and length of the output key depend on the specific encryption algorithm of the required key.

2 , Algorithm description

HKDF is the use of an instantiated hash function of the HMAC to achieve key generation. HMAC has two necessary parameters: the first is the key and the second is the input (or message). When a message consists of several elements, we use concatenation in the second argument (representing |); For example, HMAC (K, ELEM1|ELEM2|ELEM3).

In general, the work done by the HKDF algorithm is divided into 2 steps, one called extraction, and the other called expansion. Next we explain these two steps.

(1), extract

The so-called extraction is the user input of the key as far as possible pseudo-randomization. It is generally implemented using a hash function, which is more specific to be determined in the HMAC. This process can be expressed as follows:

Hkdf-extract (salt, IKM) gets PRK, and the PRK formula is as follows:

PRK = Hmac-hash (salt, IKM), which has 2 inputs and one output,

Salt, the input, salt-operated salts, if not provided, are all initialized to a string of 0, and the length is the hash value length of the hashed function used.

IKM, input, amount Udemiyao material.

PRK, output, pseudo-randomized key, length is the hashed value length of the hash function used.

It is important to note that in this step "IKM" is used as an HMAC input instead of an HMAC key.

(2), extended

The so-called extension, in fact, is to extend the key to the length we need through a series of hashing operations. We remember this length as L. This process is identified as follows:

Hkdf-expand (PRK, info, L), OKM, which has 3 inputs and one output, where:

PRK, input, is generally obtained in the extraction phase of the output, is a pseudo-random key, the length is not less than the output digest length of the hashing algorithm used.

info, input, optional context and application-specific information (can be 0-length string)

L, input, the length of the key raw material calculated in bytes, generally not longer than 255 times times the length of the hash function output digest.

OKM, OUTPUT, l-length key material output, which is calculated as follows:

Computes a series of hashes, which we remember as T (N), where n is an integer of 0-255, and the value is determined by the calculated length L. The maximum value of n is: l divided by the hash function used to output the length of the digest, and then rounding up, we will write it as N.

T (0) = empty string with a length of 0

T (1) = Hmac-hash (PRK, T (0) | info | 0x01)

T (2) = Hmac-hash (PRK, T (1) | info | 0x02)

T (3) = Hmac-hash (PRK, T (2) | info | 0x03)

Until T (N), it is important to note that each hash operation will be threaded to a constant of one byte, from 1 to N, so the maximum n value can be only 255. The computed t (n) is then strung together, which we remember as T, namely:

t = t (1) | T (2) | T (3) | ... | T (N)

And the okm we want to get is just the first L bytes of T. This is where we get the keying material we want.

3 , code implementation

Above we have described the implementation of the HKDF, and we will implement the process next. First, let's define a context structure.

/** the structure will provide contextual information for the HKDF extract-extension key derivation function */

typedef struct HKDFCONTEXT {

int Whichsha;

Hmaccontext Hmaccontext;

int hashsize;

unsigned char prk[shamaxhashsize];

int Computed;

int corrupted;

} Hkdfcontext;

We then implement the HDKF extraction function, which is implemented as follows:

int Hkdfextract (Shaversion Whichsha,

Const unsigned char *salt, int salt_len,

Const unsigned char *ikm, int ikm_len,

uint8_t Prk[shamaxhashsize])

{

unsigned char nullsalt[shamaxhashsize];

if (salt = = 0)

{

Salt = Nullsalt;

Salt_len = Shahashsize (Whichsha);

memset (Nullsalt, ' Salt_len ');

}

else if (Salt_len < 0)

{

return shabadparam;

}

Return HMAC (Whichsha, ikm, Ikm_len, salt, Salt_len, PRK);

}

You also need to implement the HKDF extension function, which is implemented as follows:

int Hkdfexpand (shaversion whichsha, const uint8_t prk[], int prk_len,

Const unsigned char *info, int info_len,

uint8_t okm[], int okm_len)

{

int Hash_len, N;

unsigned char t[shamaxhashsize];

int Tlen, where, I;

if (info = = 0)

{

info = (const unsigned char *) "";

Info_len = 0;

}

else if (Info_len < 0)

{

return shabadparam;

}

if (okm_len <= 0) return shabadparam;

if (!okm) return shabadparam;

Hash_len = Shahashsize (Whichsha);

if (Prk_len < Hash_len) return shabadparam;

N = Okm_len/hash_len;

if (okm_len% hash_len)! = 0) n++;

if (N > 255) return shabadparam;

Tlen = 0;

where = 0;

for (i = 1; I <= N; i++)

{

Hmaccontext context;

unsigned char c = i;

int ret = Hmacreset (&context, Whichsha, PRK, Prk_len) | |

Hmacinput (&context, T, Tlen) | |

Hmacinput (&context, info, info_len) | |

Hmacinput (&context, &c, 1) | |

Hmacresult (&context, T);

if (ret! = shasuccess) return ret;

memcpy (okm + where, T, (i! = N)? Hash_len: (Okm_len-where));

where + = Hash_len;

Tlen = Hash_len;

}

return shasuccess;

}

So far we have realized the full functionality of HKDF.

4 , Results

We have implemented the HKDF before, and we need to validate it, we use the SHA-256 hash function to generate 40-bit and 80-key keys, respectively.

40-bit key:

80-bit key:

Obviously, the 40-bit key and the 80-bit key are the same as the first 40 bits.

The analysis and implementation of HKDF algorithm for information digest algorithm VI