Module hkdf

HMAC-based Extract-and-Expand Key Derivation Function.

HKDF is specified in RFC 5869.

Example

use aws_lc_rs::{aead, hkdf, hmac, rand};

// Generate a (non-secret) salt value
let mut salt_bytes = [0u8; 32];
rand::fill(&mut salt_bytes).unwrap();

// Extract pseudo-random key from secret keying materials
let salt = hkdf::Salt::new(hkdf::HKDF_SHA256, &salt_bytes);
let pseudo_random_key = salt.extract(b"secret input keying material");

// Derive HMAC key
let hmac_key_material = pseudo_random_key
    .expand(
        &[b"hmac contextual info"],
        hkdf::HKDF_SHA256.hmac_algorithm(),
    )
    .unwrap();
let hmac_key = hmac::Key::from(hmac_key_material);

// Derive UnboundKey for AES-128-GCM
let aes_keying_material = pseudo_random_key
    .expand(&[b"aes contextual info"], &aead::AES_128_GCM)
    .unwrap();
let aead_unbound_key = aead::UnboundKey::from(aes_keying_material);

Structs

• Algorithm
  An HKDF algorithm.
• Okm
  An HKDF OKM (Output Keying Material)
• Prk
  A HKDF PRK (pseudorandom key).
• Salt
  A salt for HKDF operations.

Statics

• HKDF_SHA1_FOR_LEGACY_USE_ONLY
  HKDF using HMAC-SHA-1. Obsolete.
• HKDF_SHA256
  HKDF using HMAC-SHA-256.
• HKDF_SHA384
  HKDF using HMAC-SHA-384.
• HKDF_SHA512
  HKDF using HMAC-SHA-512.

Traits

• KeyType
  The length of the OKM (Output Keying Material) for a Prk::expand() call.