3

I want to do generate individual AES keys for a number of smart cards, based on a random master key (key diversification) and the serial number of the card.

According to the answers to this question HKDF is the/one way to go.

HKDF has three inputs, ikm, salt and info. Feeding in the serial number as part of ikm seems to be incorrect usage (and maybe dangerous because it makes the IKM less random?). That leaves salt and info, which one should I use?

AndreKR
  • 173
  • 5
  • I don't want to copy and paste for an answer, see section at 3.2 rfc5869 – kelalaka Mar 06 '19 at 20:05
  • 2
    Possible duplicate of HKDF: ikm, salt and info values – Ilmari Karonen Mar 06 '19 at 20:19
  • Unfortunately I don't even understand if these links argue in favor of "salt" or in favor of "info". – AndreKR Mar 06 '19 at 20:30
  • From RFC5869: We stress, however, that the use of salt adds significantly to the strength of HKDF. In particular, info may prevent the derivation of the same keying material for different contexts. – kelalaka Mar 06 '19 at 20:39
  • @kelalaka I should use salt because different info might not lead to different output keys, is that what you mean? – AndreKR Mar 06 '19 at 20:43
  • It is what the RFC5869 says. – kelalaka Mar 06 '19 at 20:43
  • @AndreKR: No, it means the info parameter may be used to prevent the derivation of the same keying material for different contexts, by making sure that each key derived from the same IKM is derived with a different info. – Ilmari Karonen Mar 06 '19 at 20:49
  • @kelalaka The same can be said about the salt because of the pigeonhole principle and the RFC does not say the likeliness of a collision is higher for the info. Especially section 3.3 gives the impression (kind of contradicting section 3.1) that an empty salt really is ok if the IKM is uniformly random. – AndreKR Mar 06 '19 at 21:04

1 Answers1

3

If all you're using HKDF for is deriving subkeys from a uniformly random master key, you don't really need the Extract part of HKDF. So you can simply use your master key directly as the IKM input to HKDF-Expand, and the serial number (plus possibly other identifying information, if you e.g. may need to derive multiple keys per card) as the info input.

Community
  • 1
Ilmari Karonen
  • 46,120
  • 5
  • 105
  • 181