Key Derivation Function (KDF)

A Key Derivation Function is a cryptographic operation that takes some form of input (e.g., a password or keying material) and employs some algorithm to produce an output that can be used as key for subsequent cryptographic operations.

There are broadly two classes of KDF functions: those that use passwords as the initial input and those that use cryptographic keys. Below, we will discuss each type to provide better understanding.

Password-Based KDF functions take a user's password and performs some cryptographic operation in order to produce a key that can then be used in other cryptographic operation like file encryption. A good example of this form of KDF PBKDF2.

The other class of KDFs are those that accept what a key and uses that key to the produce one or more additional keys. For example, suppose an application needs a key to perform encryption and a second key to perform a MAC operation. This class of KDF would be able to produce these two keys in a cryptographically-secure way. A good example of this form of KDF is HKDF.

See Also: HMAC-based Extract-and-Expand Key Derivation Function (HKDF)