<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <title>Generate a HKDF key derivation of a supplied key input</title> </head> <body><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="function.hash-final.html">hash_final</a></div> <div class="next" style="text-align: right; float: right;"><a href="function.hash-hmac-algos.html">hash_hmac_algos</a></div> <div class="up"><a href="ref.hash.html">Hash Functions</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div><hr /><div id="function.hash-hkdf" class="refentry"> <div class="refnamediv"> <h1 class="refname">hash_hkdf</h1> <p class="verinfo">(PHP 7 >= 7.1.2)</p><p class="refpurpose"><span class="refname">hash_hkdf</span> — <span class="dc-title">Generate a HKDF key derivation of a supplied key input</span></p> </div> <div class="refsect1 description" id="refsect1-function.hash-hkdf-description"> <h3 class="title">Description</h3> <div class="methodsynopsis dc-description"> <span class="type">string</span> <span class="methodname"><strong>hash_hkdf</strong></span> ( <span class="methodparam"><span class="type">string</span> <code class="parameter">$algo</code></span> , <span class="methodparam"><span class="type">string</span> <code class="parameter">$ikm</code></span> [, <span class="methodparam"><span class="type">int</span> <code class="parameter">$length</code><span class="initializer"> = 0</span></span> [, <span class="methodparam"><span class="type">string</span> <code class="parameter">$info</code><span class="initializer"> = ''</span></span> [, <span class="methodparam"><span class="type">string</span> <code class="parameter">$salt</code><span class="initializer"> = ''</span></span> ]]] )</div> </div> <div class="refsect1 parameters" id="refsect1-function.hash-hkdf-parameters"> <h3 class="title">Parameters</h3> <p class="para"> <dl> <dt> <code class="parameter">algo</code></dt> <dd> <p class="para"> Name of selected hashing algorithm (i.e. "sha256", "sha512", "haval160,4", etc..) See <span class="function"><a href="function.hash-algos.html" class="function">hash_algos()</a></span> for a list of supported algorithms. <blockquote class="note"><p><strong class="note">Note</strong>: <p class="para"> Non-cryptographic hash functions are not allowed. </p> </p></blockquote> </p> </dd> <dt> <code class="parameter">ikm</code></dt> <dd> <p class="para"> Input keying material (raw binary). Cannot be empty. </p> </dd> <dt> <code class="parameter">length</code></dt> <dd> <p class="para"> Desired output length in bytes. Cannot be greater than 255 times the chosen hash function size. </p> <p class="para"> If <code class="parameter">length</code> is <em>0</em>, the output length will default to the chosen hash function size. </p> </dd> <dt> <code class="parameter">info</code></dt> <dd> <p class="para"> Application/context-specific info string. </p> </dd> <dt> <code class="parameter">salt</code></dt> <dd> <p class="para"> Salt to use during derivation. </p> <p class="para"> While optional, adding random salt significantly improves the strength of HKDF. </p> </dd> </dl> </p> </div> <div class="refsect1 returnvalues" id="refsect1-function.hash-hkdf-returnvalues"> <h3 class="title">Return Values</h3> <p class="para"> Returns a string containing a raw binary representation of the derived key (also known as output keying material - OKM); or <strong><code>FALSE</code></strong> on failure. </p> </div> <div class="refsect1 errors" id="refsect1-function.hash-hkdf-errors"> <h3 class="title">Errors/Exceptions</h3> <p class="para"> An <strong><code>E_WARNING</code></strong> will be raised if <code class="parameter">ikm</code> is empty, <code class="parameter">algo</code> is unknown/non-cryptographic, <code class="parameter">length</code> is less than <em>0</em> or too large (greater than 255 times the size of the hash function). </p> </div> <div class="refsect1 examples" id="refsect1-function.hash-hkdf-examples"> <h3 class="title">Examples</h3> <p class="para"> <div class="example" id="example-926"> <p><strong>Example #1 <span class="function"><strong>hash_hkdf()</strong></span> example</strong></p> <div class="example-contents"> <div class="phpcode"><code><span style="color: #000000"> <span style="color: #0000BB"><?php<br /></span><span style="color: #FF8000">// Generate a random key, and salt to strengthen it during derivation.<br /></span><span style="color: #0000BB">$inputKey </span><span style="color: #007700">= </span><span style="color: #0000BB">random_bytes</span><span style="color: #007700">(</span><span style="color: #0000BB">32</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$salt </span><span style="color: #007700">= </span><span style="color: #0000BB">random_bytes</span><span style="color: #007700">(</span><span style="color: #0000BB">16</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">// Derive a pair of separate keys, using the same input created above.<br /></span><span style="color: #0000BB">$encryptionKey </span><span style="color: #007700">= </span><span style="color: #0000BB">hash_hkdf</span><span style="color: #007700">(</span><span style="color: #DD0000">'sha256'</span><span style="color: #007700">, </span><span style="color: #0000BB">$inputKey</span><span style="color: #007700">, </span><span style="color: #0000BB">32</span><span style="color: #007700">, </span><span style="color: #DD0000">'aes-256-encryption'</span><span style="color: #007700">, </span><span style="color: #0000BB">$salt</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$authenticationKey </span><span style="color: #007700">= </span><span style="color: #0000BB">hash_hkdf</span><span style="color: #007700">(</span><span style="color: #DD0000">'sha256'</span><span style="color: #007700">, </span><span style="color: #0000BB">$inputKey</span><span style="color: #007700">, </span><span style="color: #0000BB">32</span><span style="color: #007700">, </span><span style="color: #DD0000">'sha-256-authentication'</span><span style="color: #007700">, </span><span style="color: #0000BB">$salt</span><span style="color: #007700">);<br /><br /></span><span style="color: #0000BB">var_dump</span><span style="color: #007700">(</span><span style="color: #0000BB">$encryptionKey </span><span style="color: #007700">!== </span><span style="color: #0000BB">$authenticationKey</span><span style="color: #007700">); </span><span style="color: #FF8000">// bool(true)<br /></span><span style="color: #0000BB">?></span> </span> </code></div> </div> <div class="example-contents"><p> The above example produces a pair of separate keys, suitable for creation of an encrypt-then-HMAC construct, using AES-256 and SHA-256 for encryption and authentication respectively. </p></div> </div> </p> </div> <div class="refsect1 seealso" id="refsect1-function.hash-hkdf-seealso"> <h3 class="title">See Also</h3> <p class="para"> <ul class="simplelist"> <li class="member"><span class="function"><a href="function.hash-pbkdf2.html" class="function" rel="rdfs-seeAlso">hash_pbkdf2()</a> - Generate a PBKDF2 key derivation of a supplied password</span></li> <li class="member"><a href="http://www.faqs.org/rfcs/rfc5869" class="link external">» RFC 5869</a></li> <li class="member"><a href="https://github.com/narfbg/hash_hkdf_compat" class="link external">» userland implementation</a></li> </ul> </p> </div> </div><hr /><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="function.hash-final.html">hash_final</a></div> <div class="next" style="text-align: right; float: right;"><a href="function.hash-hmac-algos.html">hash_hmac_algos</a></div> <div class="up"><a href="ref.hash.html">Hash Functions</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div></body></html>