In conjunction with non-secret parameters to derive one or more keys from a common secret value. Such use may prevent an attacker who obtains a derived key from learning useful information about either the input secret value or any of the other derived keys. A KDF may also be used to ensure that derived keys have other desirable properties, such as avoiding "weak keys" in some specific encryption systems.
The most common use of KDFs is the password hashing approach to password verification, as used by the passwd file or shadow password file. KDFs happen to have the characteristics desired for a "password hash function", even though they were not originally designed for this purpose. The non-secret parameters are called "salt" in this context.
As components of multiparty key-agreement protocols. Examples of such key derivation functions include KDF1, defined in IEEE Std 1363-2000, and similar functions in ANSI X9.42.
To derive keys from secret passwords or passphrases.
To derive keys of different length from the ones provided: one example of KDFs designed for this purpose is HKDF.
Key derivation functions are also used in applications to derive keys from secret passwords or passphrases, which typically do not have the desired properties to be used directly as cryptographic keys. In such applications, it is generally recommended that the key derivation function be made deliberately slow so as to frustrate brute-force attack or dictionary attack on the password or passphrase input value. Such use may be expressed as, where is the derived key, is the key derivation function, is the original key or password, is a random number which acts as cryptographic salt, and refers to the number of iterations of a sub-function. The derived key is used instead of the original key or password as the key to the system. The values of the salt and the number of iterations are stored with the hashed password or sent as cleartext with an encrypted message. The difficulty of a brute force attack increases with the number of iterations. A practical limit on the iteration count is the unwillingness of users to tolerate a perceptible delay in logging into a computer or seeing a decrypted message. The use of salt prevents the attackers from precomputing a dictionary of derived keys. An alternative approach, called key strengthening, extends the key with a random salt, but then securely deletes the salt. This forces both the attacker and legitimate users to perform a brute-force search for the salt value. Although the paper that introduced key stretching referred to this earlier technique and intentionally chose a different name, the term "key strengthening" is now often used to refer to key stretching.
History
The first deliberately slow password-based key derivation function was called "crypt", and was invented by Robert Morris in 1978. It would encrypt a constant, using the first 8 characters of the user's password as the key, by performing 25 iterations of a modified DES encryption algorithm. The resulting 64-bit number is encoded as 11 printable characters and then stored in the Unix password file. While it was a great advance at the time, increases in processor speeds since the PDP-11 era have made brute-force attacks against crypt feasible, and advances in storage have rendered the 12-bit salt inadequate. The crypt function's design also limits the user password to 8 characters, which limits the keyspace and makes strong passphrases impossible. Modern password-based key derivation functions, such as PBKDF2, use a cryptographic hash, such as SHA-2, more salt and a high iteration count. NIST requires at least 128 bits of random salt and a NIST-approved cryptographic function, such as the SHA series or AES. Although high throughput is a desirable property in general-purpose hash functions, the opposite is true in password security applications in which defending against brute-force cracking is a primary concern. The growing use of massively-parallel hardware such as GPUs, FPGAs, and even ASICs for brute-force cracking has made the selection of a suitable algorithms even more critical because the good algorithm should not only enforce a certain amount of computational cost not only on CPUs, but also resist the cost/performance advantages of modern massively-parallel platforms for such tasks. Various algorithms have been designed specifically for this purpose, including bcrypt, scrypt and, more recently, Lyra2 and Argon2. The large-scale Ashley Madison data breach in which roughly 36 million passwords hashes were stolen by attackers illustrated the importance of algorithm selection in securing passwords. Although bcrypt was employed to protect the hashes, a significant portion of the accounts in the compromised data also contained a password hash based on the general-purpose MD5 algorithm which made it possible for over 11 million of the passwords to be cracked in a matter of weeks. In June 2017, NIST issued a new revision of their digital authentication guidelines, NIST SP 800-63B-3, stating that: "Verifiers SHALL store memorized secrets in a form that is resistant to offline attacks. Memorized secrets SHALL be salted and hashed using a suitable one-way key derivation function. Key derivation functions take a password, a salt, and a cost factor as inputs then generate a password hash. Their purpose is to make each password guessing trial by an attacker who has obtained a password hash file expensive and therefore the cost of a guessing attack high or prohibitive." and that "The salt SHALL be at least 32 bits in length and be chosen arbitrarily so as to minimize salt value collisions among stored hashes."
