JEP 478 : Key Derivation Function API
"We define a new class, javax.crypto.KDF, to represent key derivation functions."
DEMO
run
com.wlodar.jeeps.jep475keyderivation.KdfDemoHave language version set in IDE - 24 (Preview) or add
--enable-previewWhat is a Key Derivation Function (KDF)?
A KDF turns a password or shared secret into a strong cryptographic key.
Used in:
Password-based encryption
Secure key exchange
Token generation (e.g., OAuth, JWT)
Whatβs the Problem?
Before Java 24:
No standard KDF API in Java
Developers used low-level, inconsistent, or third-party code
Risk of insecure parameters (e.g., low iteration counts)
π What Is a Key Derivation Function (KDF)?
A Key Derivation Function (KDF) is used in cryptography to safely transform a shared secret or password into one or more cryptographic keys.
π§ Common Use Cases
π Encrypting with a password
Turns the password into a strong AES key
π Secure key exchange
Derives keys from shared secrets (e.g., TLS)
πͺͺ Token signing/auth
Derives separate keys for encryption and MAC
π Key rotation/management
Generates new keys from existing material
π§ How KDFs Relate to Quantum Security
While KDFs aren't quantum-safe on their own, they help build hybrid cryptographic protocols that are:
π Resilient to known quantum attacks (e.g., Shor's algorithm)
𧬠Useful in post-quantum key exchange
𧩠Critical in hybrid encryption β combining classical + quantum-safe keys
π KDFs in a Post-Quantum World
Quantum-safe key exchange algorithms (e.g., Kyber, Dilithium) produce raw shared secrets
A KDF (like HKDF) is used to stretch, compress, and standardize those secrets into usable keys
This ensures that even non-quantum-safe components (like AES) can be used securely in hybrid systems
πΉ Example Use Case (Real World)
In hybrid TLS (used by Google, Cloudflare, AWS):
Post-quantum and classical secrets are exchanged
Combined and passed into a KDF like HKDF
Output: symmetric keys for AES/GCM, HMAC, etc.
Last updated