HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
This module implements the HMAC Key Derivation function, defined at
There are two interfaces: a functional interface, with separate extract and expand functions as defined in the draft RFC, and a wrapper class for these functions.
To use the functional interface, pass the pseudorandom key generated by hmac_extract([salt], [input key material]) to hmac_expand(...). salt should be a random, non-secret, site-specific string, but may be set to None. See section 3.1 of the HKDF draft for more details.
In addition to the PRK output by hmac_extract(), hmac_expand() takes an info argument, which permits generating multiple keys based on the same PRK, and a length argument, which defines the number of bytes of output key material to generate. length must be less than or equal to 255 time the block size, in bytes, of the hash function being used. See section 3.2 of the HKDF draft for more information on using the info argument.
The hash function to use can be specified for both hmac_extract() and hmac_expand() as the hash kw argument, and defaults to SHA-512 as implemented by the hashlib module. It must be the same for both extracting and expanding.
from binascii import unhexlify prk = hkdf_extract(unhexlify(b"8e94ef805b93e683ff18"), b"asecretpassword") key = hkdf_expand(prk, b"context1", 16)
To use the wrapper class, instantiate the Hkdf() class with a salt, input key material, and optionally, a hash function. Note that the default hash function for the wrapper class is SHA-256, which differs from the default for the functional interface. You may then call expand([info], [length]) on the Hkdf instance to generate output key material:
kdf = Hkdf(unhexlify(b"8e94ef805b93e683ff18"), b"asecretpassword", hash=hashlib.sha512) key = kdf.expand(b"context1", 16)
Please report any bugs at