2.1.4 KDF Command

The KDF command is used to generate the KDF key from the premaster secret key and the input data.

The command supports three modes for creating the KDF key:

• AES – This mode selects the source of the 16-byte key location.
• PRF – This mode selects the length of the source key, Authenticated Encryption with Associated Data (AEAD). It also selects the length of the target key to be generated.
• HKDF – This mode provides the flexibility to select the source location input data and the zero key. There is an IV Special Function in HKDF that compares the strings of the input data with the predefined string in the configuration zone and generates the KDF key once they match.

The command selects the source location of the source key and can select the target KDF key location. This additional feature provides more security without the KDF key being returned to the device. The source and the target key location can be the EEPROM slot, TempKey or Alternate Key Buffer. The command also provides the option to send the KDF key in plain text or encrypted text to the host. The host decrypts the encrypted KDF key using the I/O protection key and nonce.

Depending on the mode, the return value from the command is either the plain/encrypted KDF key or the return status code. If the encrypted KDF key is returned, a random nonce is also returned for decrypting the KDF key in the host.