RFC5869 defines HKDF in 2 steps, extraction and expansion.
The scheme HKDF is specifed as: HKDF(XTS, SKM, CTXinfo, L) = K(1) || K(2) || ... || K(t) where the values K(i) are defined as follows: PRK = HMAC(XTS, SKM) K(1) = HMAC(PRK, CTXinfo || 0); K(i+1) = HMAC(PRK, K(i) || CTXinfo || i), 1 <= i < t; where t = [L/k] and the value K(t) is truncated to its first d = L mod k bits; the counter i is non-wrapping and of a given fixed size, e.g., a single byte. Note that the length of the HMAC output is the same as its key length and therefore the scheme is well defined.
XTS is the "extractor salt" SKM is the "secret keying material"
N.B. http://eprint.iacr.org/2010/264.pdf seems to differ from RFC 5869 in that the test vectors from RFC 5869 only work if K(0) = '' and K(1) = HMAC(PRK, K(0) || CTXinfo || 1)
|string||$hash||The hashing function to use (e.g., sha256) |
|string||$ikm||The input keying material |
|string||$salt||The salt to add to the ikm, to get the prk |
|string||$info||Optional context (change the output without affecting the randomness properties of the output) |
|int||$L||Number of bytes to return |
- string Cryptographically secure pseudorandom binary string
Definition at line 74 of file MWCryptHKDF.php.
Referenced by MWCryptHKDFTest\testRfc5869().