Crypto: HKDF

The HMAC Key Derivation Function (HKDF) sample shows how to derive keys with the HKDF algorithm, using a sample key, salt, and additional data.

Requirements

The sample supports the following development kits:

Hardware platforms

PCA

Board name

Build target

nRF9160 DK

PCA10090

nrf9160dk_nrf9160

nrf9160dk_nrf9160_ns nrf9160dk_nrf9160

nRF5340 DK

PCA10095

nrf5340dk_nrf5340

nrf5340dk_nrf5340_cpuapp_ns nrf5340dk_nrf5340_cpuapp

nRF52840 DK

PCA10056

nrf52840dk_nrf52840

nrf52840dk_nrf52840

When built for an _ns build target, the sample is configured to compile and run as a non-secure application. Therefore, it automatically includes Trusted Firmware-M that prepares the required peripherals and secure services to be available for the application.

You can also configure it to use the Secure Partition Manager.

Overview

The sample performs the following operations:

  1. Initialization of the Platform Security Architecture (PSA) API.

  2. Key derivation:

    1. The input key is imported into the PSA crypto keystore.

    2. The output key is derived.

  3. Cleanup:

    1. The input and the output keys are removed from the PSA crypto keystore.

Building and running

This sample can be found under samples/crypto/hkdf in the nRF Connect SDK folder structure.

When built as a non-secure firmware image for the _ns build target, the sample automatically includes the Trusted Firmware-M (TF-M). You can configure it to use the Secure Partition Manager instead of TF-M.

See Building and programming an application for information about how to build and program the application and Testing and debugging an application for general information about testing and debugging in the nRF Connect SDK.

Testing

After programming the sample to your development kit, complete the following steps to test it:

  1. Connect to the kit with a terminal emulator (for example, PuTTY). See How to connect with PuTTY for the required settings.

  2. Compile and program the application.

  3. Observe the logs from the application using an RTT Viewer or a terminal emulator.

Note

By default, the sample is configured to use both RTT and UART for logging. If you are using RTT, skip the first step of the testing procedure.