com.google.crypto.tink.subtle

Class Hkdf

java.lang.Object

com.google.crypto.tink.subtle.Hkdf

public final class Hkdf
extends Object

This class implements HMAC-based Extract-and-Expand Key Derivation Function (HKDF), as described in RFC 5869.

Since:

1.0.0

Method Summary

Modifier and Type	Method and Description
static byte[]	computeEciesHkdfSymmetricKey(byte[] ephemeralPublicKeyBytes, byte[] sharedSecret, String hmacAlgo, byte[] hkdfSalt, byte[] hkdfInfo, int keySizeInBytes) Computes symmetric key for ECIES with HKDF from the provided parameters.
static byte[]	computeHkdf(String macAlgorithm, byte[] ikm, byte[] salt, byte[] info, int size) Computes an HKDF.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

computeHkdf

public static byte[] computeHkdf(String macAlgorithm,
                                 byte[] ikm,
                                 byte[] salt,
                                 byte[] info,
                                 int size)
                          throws GeneralSecurityException

Computes an HKDF.

Parameters:

macAlgorithm - the MAC algorithm used for computing the Hkdf. I.e., "HMACSHA1" or "HMACSHA256".

ikm - the input keying material.

salt - optional salt. A possibly non-secret random value. If no salt is provided (i.e. if salt has length 0) then an array of 0s of the same size as the hash digest is used as salt.

info - optional context and application specific information.

size - The length of the generated pseudorandom string in bytes. The maximal size is 255.DigestSize, where DigestSize is the size of the underlying HMAC.

Returns:

size pseudorandom bytes.

Throws:

GeneralSecurityException - if the macAlgorithm is not supported or if size is too large or if salt is not a valid key for macAlgorithm (which should not happen since HMAC allows key sizes up to 2^64).

computeEciesHkdfSymmetricKey

public static byte[] computeEciesHkdfSymmetricKey(byte[] ephemeralPublicKeyBytes,
                                                  byte[] sharedSecret,
                                                  String hmacAlgo,
                                                  byte[] hkdfSalt,
                                                  byte[] hkdfInfo,
                                                  int keySizeInBytes)
                                           throws GeneralSecurityException

Computes symmetric key for ECIES with HKDF from the provided parameters.

Parameters:

ephemeralPublicKeyBytes - the encoded ephemeral public key, i.e. the KEM part of the hybrid encryption. In some versions of ECIES (e.g. IEEE P1363a) this argument is optional. Shoup strongly prefers the inclusion of this argument in http://eprint.iacr.org/2001/112.pdf (see discussion of the value C0 in Section 15.6, and 15.6.1)

sharedSecret - the shared DH secret. This typically is the x-coordinate of the secret point.

hmacAlgo - the HMAC used (e.g. "HmacSha256")

hkdfInfo - TODO(bleichen): determine what are good values for Info and salt and what are not good values. The ISO standard proposal http://eprint.iacr.org/2001/112.pdf does not allow additional values for the key derivation (see Section 15.6.2)

hkdfSalt -

keySizeInBytes - the size of the key material for the DEM key.

Throws:

GeneralSecurityException - if hmacAlgo is not supported