This module implements the HMAC Key Derivation function, defined at
http://tools.ietf.org/html/draft-krawczyk-hkdf-01
There are two interfaces: a functional interface, with separate extract and expand functions as defined in the draft RFC, and a wrapper class for these functions.
To use the functional interface, pass the pseudorandom key generated
by hmac_extract([salt], [input key material]) to hmac_expand(...).
salt should be a random, non-secret, site-specific string, but may be
set to None. See section 3.1 of the HKDF draft for more details.
In addition to the PRK output by hmac_extract(), hmac_expand() takes an
info argument, which permits generating multiple keys based on the
same PRK, and a length argument, which defines the number of bytes
of output key material to generate. length must be less than or equal
to 255 time the block size, in bytes, of the hash function being used.
See section 3.2 of the HKDF draft for more information on using the info
argument.
The hash function to use can be specified for both hmac_extract() and
hmac_expand() as the hash kw argument, and defaults to SHA-512 as implemented
by the hashlib module. It must be the same for both extracting and expanding.
Example::
from binascii import unhexlify
prk = hkdf_extract(unhexlify(b"8e94ef805b93e683ff18"), b"asecretpassword")
key = hkdf_expand(prk, b"context1", 16)
Hkdf wrapper classTo use the wrapper class, instantiate the Hkdf() class with a salt, input
key material, and optionally, a hash function. Note that the default hash function
for the wrapper class is SHA-256, which differs from the default for the functional
interface. You may then call expand([info], [length]) on the Hkdf instance to
generate output key material::
kdf = Hkdf(unhexlify(b"8e94ef805b93e683ff18"), b"asecretpassword", hash=hashlib.sha512)
key = kdf.expand(b"context1", 16)
Please report any bugs at
https://www.github.com/casebeer/python-hkdf
FAQs
HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
We found that hkdf demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.