A Key Derivation Function (KDF) is a function that takes a key like an ECDH (DH) generated shared P(x,y) secret or password a “ilovechocolate” and add pseudorandomness so it looks like something that looks like noise but still has the same entropy. It looks exactly like true entropy, and it passes every statistical test for randomness, but it is completely deterministic. It spreads and obscures entropy, but does not increase it.
Charlie and Brianna want to generate a key from their shared secret they need the following:
Key extraction — A short or low-entropy gets the entropy extracted mixed with the salt to produce a higer entropy intermediate Pseudo Random Key (PRK)
Key expanding — A short or low-entropy password gets "stretched" into a full 256-bit key suitable for AES encryption.
Key diversification — Derive multiple independent keys (e.g., one for encryption, one for authentication) from a single master secret. (optional)
Various KDF algorithms exist such as HKDF (HMAC Keyderivation function), PBKDF, Scrypt (Password-Based Key Derivation Function). To use a DH shared secret and turn into a proper key that can be used for AES HKDF is the best tool. KDF uses HMAC to perform extraction and expanding to obtain the final key.
Charlie and Brianna have established a shared secret usind ECDH and take the P(x) coordinate. While the coordinate is practically impossible for an attacker to guess, the coordinate is not perfectly random since its simply a point on the ECC curve.
They want to use AES to encrypt their communication and use the shared secret (IKM) for derrived final key (OKM) with high entropy. Charlie generates a random (SALT) and sends it to Brianna over to briana in plain text.
Extracting - Both Charlie and Brianna now have possession of the public (SALT) and the shared secret (IKM). Their next step is to extract the pure entropy from the (IKM), using the salt to distribute that randomness evenly into a pseudo random key (PRK)”
Expanding - In the final step, they need to expand the key into the desired length and mix in an 'info’ string. This string acts as an identifier for the specific type of key being generated such. During this expansion step, Charlie and Brianna can derive various distinct keys simply by changing the string, under the condition that the exact strings are known by both parties. The final result will be the (OKM)
1. IKM (Input Keying Material)
It is a key that doesnt have enough entropy such as the beforementioned “ilovecholocate” or ECC key P(x,y) produced by ECDH.
2. PRK (Pseudorandom Key)
This is the intermediate "concentrate." It is the direct output of the Extract phase. The Extract function has smashed the ikm and the salt together using HMAC-SHA256, destroying any mathematical bias and producing a perfectly flat, highly concentrated pool of randomness.
3. OKM (Output Keying Material)
What it is: This is the final, ready-to-use "gasoline." It is the exact AES or HMAC key you are going to use to secure your data. The Expand function takes the concentrated prk, mixes it with your info string, and stretches it out to whatever exact length you need.
4. SALT (Random number)
A salt is a random generated number that is use is public and its mixed/added with the IKM. Together it will produce a HASH that is not reversible. Password “.
HMAC is a MAC mathematical blender that only has two input slots one for a key and one for a message. Normally HMAC is used to signed a message with a key the result is a hash.
HKDF repurposes this HMAC blender. It doesn't use it to "sign" a message; it uses the dual-slot design just to safely smash different the key and message together into a new “hash” this hash is the final key.
As previously discussed the P(x) coordinate of a DH operation is simply a point on the ECC curve. So we need to extract the entrophy and mix it using HMAC with the (SALT) and produce a (PRK) that hides the ECC properties.
In the expanding phase the (PRK) is mixed with an info string such as “authentication” using HMAC to the final outgoing key material (OKM). Both parties could use derrive many keys if they use different strings. Various Ciphers require various length keys. In the expanding phase the (OKM) can be expanded to any size for any cipher. Since HMAC is pseudorandom no
Because HMAC is a Pseudorandom Function (PRF), it creates a perfectly disguised illusion of randomness. It takes a small amount of True Entropy (the 256-bit shared secret) and stretches it into a large amount of Pseudorandomness (the OKM).
Shared Secret