Summary

Introduce an API for Key Derivation Functions (KDFs), which are cryptographic algorithms for deriving additional keys from a secret key and other data.

Problem

KDFs are increasing in popularity and, along with the KEM API introduced in JDK 21, will be an important cryptographic mechanism for providing protection against quantum computers.

We considered using the existing KeyGenerator and SecretKeyFactory APIs to represent KDFs. Today, key derivation algorithms such as TLS-PRF, PBKDF1, and PBKDF2 have been made to fit into these APIs, but in general these APIs do not work well for KDFs..

• KeyGenerator is designed around the introduction of entropy (via a SecureRandom object) to create a non-deterministic key from a set of inputs. KDF, by contrast, must support the independent derivation by two separate parties of the same key material based upon a set of inputs.

• SecretKeyFactory is designed for the creation of a single key based upon a set of inputs. Though there are scenarios in which a KDF may be used in this manner, KDFs are also required to support successive derivations from a key stream in a deterministic fashion.

Solution

A new JCA primitive engine, KDF, is introduced. Users can instantiate a KDF instance using one of the getInstance methods, and call its deriveKey or deriveData methods with a specified AlgorithmParameterSpec input in order to obtain a derived SecretKey or byte[] of key material.

A KDF implementation may define one or more AlgorithmParameterSpec subclasses that provide required information for performing the key derivation function. In the case of the provided HKDF implementation described in RFC 5869, we provide 3 HKDFParameterSpec subclasses, each representing inputs for different modes of operation:

• HKDFParameterSpec:
  • HKDFParameterSpec.Extract
  • HKDFParameterSpec.Expand
  • HKDFParameterSpec.ExtractExpand

A KDFSpi class is also introduced for security providers to implement KDF algorithms.

Specification

See the attached Javadoc for a description of the new APIs (including classes and interfaces). In addition, the following will be added to the Standard Names document:

Along with the above updates to the Standard Names document, we will be adding documentation that the SunJCE provider will now support the various HKDF algorithms to the JDK Providers Guide. A new row will be added to Table 4-13 under "The SunJCE Provider" section heading to include "KDF" under the "Engine" column and "HKDF-SHA256, HKDF-SHA384, and HKDF-SHA512" under "Algorithm Names".