Editing Key derivation function (section)

== Key derivation ==
The original use for a KDF is key derivation, the generation of keys from secret passwords or passphrases. Variations on this theme include:

* In conjunction with non-secret parameters to derive one or more keys from a common secret value (which is sometimes also referred to as "'''key diversification'''"). Such use may prevent an attacker who obtains a derived key from learning useful information about either the input secret value or any of the other derived keys. A KDF may also be used to ensure that derived keys have other desirable properties, such as avoiding "weak keys" in some specific encryption systems.
* As components of multiparty [[key-agreement protocol]]s. Examples of such key derivation functions include KDF1, defined in [[IEEE P1363|IEEE Std 1363-2000]], and similar functions in ANSI X9.42.
* To derive keys from secret passwords or passphrases (a ''password-based KDF'').
* To derive keys of different length from the ones provided. KDFs designed for this purpose include [[HKDF]] and SSKDF. These take an 'info' bit string as an additional optional 'info' parameter, which may be crucial to bind the derived key material to application- and context-specific information.<ref name="info">{{cite journal |last1=Krawczyk |first1=Hugo |last2=Eronen |first2=Pasi |date=May 2010 |title=The 'info' Input to HKDF |url=https://datatracker.ietf.org/doc/html/rfc5869#section-3.2 |website=datatracker.ietf.org}} RFC 5869 (2010)</ref>
* [[Key stretching]] and key strengthening.

=== Key stretching and key strengthening ===
{{Main article|Key stretching}}
Key derivation functions are also used in applications to derive keys from secret passwords or passphrases, which typically do not have the desired properties to be used directly as cryptographic keys. In such applications, it is generally recommended that the key derivation function be made deliberately slow so as to frustrate [[brute-force attack]] or [[dictionary attack]] on the password or passphrase input value.

Such use may be expressed as {{math|1=DK = KDF(key, salt, iterations)}}, where {{math|1=DK}} is the derived key, {{math|1=KDF}} is the key derivation [[subroutine|function]], {{math|1=key}} is the original key or password, {{math|1=salt}} is a random number which acts as [[salt (cryptography)|cryptographic salt]], and {{math|1=iterations}} refers to the number of [[iteration]]s of a sub-function. The derived key is used instead of the original key or password as the key to the system. The values of the salt and the number of iterations (if it is not fixed) are stored with the hashed password or sent as [[Plaintext|cleartext]] (unencrypted) with an encrypted message.<ref name=salthash>{{cite web|title=Salted Password Hashing – Doing it Right|url=https://crackstation.net/hashing-security.htm|website=CrackStation.net|access-date=29 January 2015}}</ref>

The difficulty of a brute force attack is increased with the number of iterations.  A practical limit on the iteration count is the unwillingness of users to tolerate a perceptible delay in logging into a computer or seeing a decrypted message. The use of [[salt (cryptography)|salt]] prevents the attackers from precomputing a dictionary of derived keys.<ref name="salthash" />

An alternative approach, called '''key strengthening''', extends the key with a random salt, but then (unlike in key stretching) securely deletes the salt.<ref>Abadi, Martın, T. Mark A. Lomas, and Roger Needham. "Strengthening passwords." Digital System Research Center, Tech. Rep 33 (1997): 1997.</ref> This forces both the attacker and legitimate users to perform a brute-force search for the salt value.<ref>U. Manber, "A Simple Scheme to Make Passwords Based on One-Way Functions Much Harder to Crack," Computers & Security, v.15, n.2, 1996, pp.171–176.</ref> Although the paper that introduced key stretching<ref name="low-entropy">[http://www.schneier.com/paper-low-entropy.html Secure Applications of Low-Entropy Keys], [[John Kelsey (cryptanalyst)|J. Kelsey]], [[Bruce Schneier|B. Schneier]], C. Hall, and [[David A. Wagner|D. Wagner]] (1997)</ref> referred to this earlier technique and intentionally chose a different name, the term "key strengthening" is now often (arguably incorrectly) used to refer to key stretching.