2. HMAC-based Key Derivation Function (HKDF)

2.1. Notation

HMAC-Hash denotes the HMAC function [HMAC] instantiated with hash function 'Hash'. HMAC always has two arguments: the first is a key and the second an input (or message). (Note that in the extract step, 'IKM' is used as the HMAC input, not as the HMAC key.)

When the message is composed of several elements we use concatenation (denoted |) in the second argument; for example, HMAC(K, elem1 | elem2 | elem3).

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [KEYWORDS].

2.2. Step 1: Extract

HKDF-Extract(salt, IKM) -> PRK

Options:

Hash: a hash function; HashLen denotes the length of the hash function output in octets

Inputs:

salt: optional salt value (a non-secret random value); if not provided, it is set to a string of HashLen zeros.
IKM: input keying material

Output:

PRK: a pseudorandom key (of HashLen octets)

The output PRK is calculated as follows:

PRK = HMAC-Hash(salt, IKM)

2.3. Step 2: Expand

HKDF-Expand(PRK, info, L) -> OKM

Options:

Hash: a hash function; HashLen denotes the length of the hash function output in octets

Inputs:

PRK: a pseudorandom key of at least HashLen octets (usually, the output from the extract step)
info: optional context and application specific information (can be a zero-length string)
L: length of output keying material in octets (<= 255*HashLen)

Output:

OKM: output keying material (of L octets)

The output OKM is calculated as follows:

N = ceil(L/HashLen)
T = T(1) | T(2) | T(3) | ... | T(N)
OKM = first L octets of T

where:

T(0) = empty string (zero length)
T(1) = HMAC-Hash(PRK, T(0) | info | 0x01)
T(2) = HMAC-Hash(PRK, T(1) | info | 0x02)
T(3) = HMAC-Hash(PRK, T(2) | info | 0x03)
...

(where the constant concatenated to the end of each T(n) is a single octet.)