> > I finally find out what's wrong. > No, you didn't. You still want to use user-supplied passwords as IKM. HKDF is not suited for that purpose.
> RFC 5689 - https://tools.ietf.org/html/rfc5869#section-3.3 > -------- > In some applications, the input key material IKM may already be > present as a cryptographically strong key. In this case, one can skip the > extract part and use IKM directly to key HMAC in the expand step. > --------- > > Therefore, you are debating "IKM should be strong always" and > "salt is pure optional parameter". > Yes, HKDF might be used for lower-entropy IKM, but not for short inputs like passwords. The extract part requires a large low-entropy input to concentrate the entropy into a smaller output. HKDF doesn't add / amplify entropy, but it can concentrate a larger low-entropy input to a smaller output with entropy. Further reading material: https://eprint.iacr.org/2010/264.pdf Regards, Niklas