HMAC vs PKDBF2 as the first step towards HKDF

Question

I'm implementing an application that from a password has to derive two keys, one for authentication with the server, one for encryption. I'm using Java, with JCA and Bouncy Castle.

So far, to generate a key from the password I was using PBKDF2, like this:

SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512", BC);
PBEKeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt, iterations, keyLength);
SecretKey passwordKey = secretKeyFactory.generateSecret(keySpec);

but in the two examples I found of HKDF:

• https://github.com/WhisperSystems/libsignal-protocol-java/blob/master/java/src/main/java/org/whispersystems/libsignal/kdf/HKDF.java
• https://www.javatips.net/api/keywhiz-master/hkdf/src/main/java/keywhiz/hkdf/Hkdf.java

they start with HmacSHA256, not PBKDF2. Why is that? What are the pros and cons of these two algorithms in this case?

Answer 1

I don't think you get those "examples": they implement HKDF. The full name of HKDF is HMAC-based Extract-and-Expand Key Derivation Function. They do not use PBKDF2 because they don't implement a specific use case, they implement the algorithm.

So it is perfectly fine to use:

master = PBKDF2(SHA-256, iterations, salt, password, 32)
authKey = HKDF(SHA-256, master, "authKey", 32)
encKey = HKDF(SHA-256, master, "encKey", 32)

This is pseudo code where the configuration options such as the hash function and the output size are also present in the parameters.

Note that although the SHA-256 is specified as configuration option, both PBKDF2 and HKDF will use HMAC-SHA-256 underneath (but HMAC has only one configuration option: the hash function to use, so this is equivalent).