Key Derivation#

Key Derivation extensions to the PSA Crypto API.

Functions#

psa_status_t

sl_psa_key_derivation_single_shot(psa_algorithm_t alg, mbedtls_svc_key_id_t key_in, const uint8_t *info, size_t info_length, const uint8_t *salt, size_t salt_length, size_t iterations, const psa_key_attributes_t *key_out_attributes, mbedtls_svc_key_id_t *key_out)

Perform a single-shot key derivation operation and output the resulting key.

Function Documentation#

sl_psa_key_derivation_single_shot#

psa_status_t sl_psa_key_derivation_single_shot (psa_algorithm_t alg, mbedtls_svc_key_id_t key_in, const uint8_t * info, size_t info_length, const uint8_t * salt, size_t salt_length, size_t iterations, const psa_key_attributes_t * key_out_attributes, mbedtls_svc_key_id_t * key_out)

Perform a single-shot key derivation operation and output the resulting key.

Parameters

Type	Direction	Argument Name	Description
psa_algorithm_t	N/A	alg	The key derivation algorithm to compute (`PSA_ALG_XXX` value such that #PSA_ALG_IS_KEY_DERIVATION(`alg`) is true).
mbedtls_svc_key_id_t	N/A	key_in	Identifier of the secret key to input to the operation. It must allow the usage PSA_KEY_USAGE_DERIVE and be of a symmetric type.
const uint8_t *	[in]	info	A context- and application specific information string. Only used for HKDF, but can be omitted.
size_t	N/A	info_length	The length of the provided info in bytes.
const uint8_t *	[in]	salt	An optional salt value (a non-secret random value). Used for HKDF and PBKDF2 (recommended for PBKDF2). For PSA_ALG_SP800_108R1_CMAC this carries the Context field (user secret \|\| salt) and must be non-empty.
size_t	N/A	salt_length	The length of the provided salt in bytes.
size_t	N/A	iterations	The number of iterations to use. Maximum supported value is 16384. Only used for PBKDF2; ignored for SP 800-108r1.
const psa_key_attributes_t *	[in]	key_out_attributes	The attributes for the new key output by the derivation operation. The key must be of a symmetric type.
mbedtls_svc_key_id_t *	[out]	key_out	The identifier of the new key output by the derivation operation.

This function supports HKDF, PBKDF2, and NIST SP 800-108r1 KDF in Counter Mode with AES-CMAC as the PRF (PSA_ALG_SP800_108R1_CMAC).

Note

- PBKDF2-CMAC is not supported on xG21.
- On VSE devices with a PUF key, SP 800-108r1 is the default PUF-entangled key derivation algorithm.
- For PSA_ALG_SP800_108R1_CMAC, salt carries the caller-supplied Context field and iterations is ignored.

This function obtains its secret input from a key object, and any additional inputs such as buffers and integers. The output of this function is a key object containing the output of the selected key derivation function.