Java
  • Java Workshops
    • JEPS
      • JEP 286: Local-Variable Type Inference
      • JEP 404: Generational Shenandoah
      • JEP 450 : Compact Object Headers i
      • JEP 472 : Prepare to Restrict the Use of JNI
      • JEP 475 : Late Barrier Expansion for G1
      • JEP 478 : Key Derivation Function API
      • JEP 479: Remove the Windows 32-bit x86 Port
      • JEP 483: Ahead-of-Time Class Loading & Linking
      • JEP 484: Class-File API
      • JEP 485: Stream Gatherers
      • JEP 486: Permanently Disable the Security Manager
      • JEP 487: Scoped Values (Fourth Preview)
      • JEP 488: Primitive Types in Patterns, instanceof, and switch (Second Preview)
      • JEP 489: Vector API (Ninth Incubator)
      • JEP 490: ZGC: Remove the Non-Generational Mode
      • JEP 491: Synchronize Virtual Threads without Pinning
      • JEP 492: Flexible Constructor Bodies (Third Preview)
      • JEP 494: Module Import Declarations (Second Preview)
      • JEP 495: Simple Source Files and Instance Main Methods (Fourth Preview)
      • JEP 496: Quantum-Resistant Module-Lattice-Based Key Encapsulation Mechanism
      • JEP 497: Quantum-Resistant Module-Lattice-Based Digital Signature Algorithm
      • JEP 499: Structured Concurrency
      • JEP 501: Deprecate the 32-bit x86 Port for Removal
    • TODO
    • Workshops
      • JDK24 workshop
Powered by GitBook
On this page
  • DEMO
  • πŸ” What Is a Key Derivation Function (KDF)?
  • 🧠 How KDFs Relate to Quantum Security
  1. Java Workshops
  2. JEPS

JEP 478 : Key Derivation Function API

PreviousJEP 475 : Late Barrier Expansion for G1NextJEP 479: Remove the Windows 32-bit x86 Port

Last updated 8 days ago

"We define a new class, , to represent key derivation functions."

DEMO

run 

com.wlodar.jeeps.jep475keyderivation.KdfDemo

Have language version set in IDE - 24 (Preview) or add 

--enable-preview

What is a Key Derivation Function (KDF)?

A KDF turns a password or shared secret into a strong cryptographic key.

Used in:

  • Password-based encryption

  • Secure key exchange

  • Token generation (e.g., OAuth, JWT)

What’s the Problem?

Before Java 24:

  • No standard KDF API in Java

  • Developers used low-level, inconsistent, or third-party code

  • Risk of insecure parameters (e.g., low iteration counts)

πŸ” What Is a Key Derivation Function (KDF)?

A Key Derivation Function (KDF) is used in cryptography to safely transform a shared secret or password into one or more cryptographic keys.

πŸ”§ Common Use Cases

Use Case
How KDF Helps

πŸ” Encrypting with a password

Turns the password into a strong AES key

πŸ”‘ Secure key exchange

Derives keys from shared secrets (e.g., TLS)

πŸͺͺ Token signing/auth

Derives separate keys for encryption and MAC

πŸ—‚ Key rotation/management

Generates new keys from existing material

🧠 How KDFs Relate to Quantum Security

While KDFs aren't quantum-safe on their own, they help build hybrid cryptographic protocols that are:

  • πŸ” Resilient to known quantum attacks (e.g., Shor's algorithm)

  • 🧬 Useful in post-quantum key exchange

  • 🧩 Critical in hybrid encryption β€” combining classical + quantum-safe keys

πŸ”’ KDFs in a Post-Quantum World

  • Quantum-safe key exchange algorithms (e.g., Kyber, Dilithium) produce raw shared secrets

  • A KDF (like HKDF) is used to stretch, compress, and standardize those secrets into usable keys

  • This ensures that even non-quantum-safe components (like AES) can be used securely in hybrid systems

πŸ”Ή Example Use Case (Real World)

In hybrid TLS (used by Google, Cloudflare, AWS):

  • Post-quantum and classical secrets are exchanged

  • Combined and passed into a KDF like HKDF

  • Output: symmetric keys for AES/GCM, HMAC, etc.

javax.crypto.KDF
LogoJEP 478: Key Derivation Function API (Preview)