Derived keys

Key derivation is used on symmetric or HMAC keys to avoid the direct usage of a shared secret password in secured operations. If two parties share a secret password that is successfully hacked by a third party, any future operation becomes unsecure, and the initial two parties do not even realize that their exchanges are unsafe. However, if a different password based on that shared secret password is used for each new secured operation, even if one operation is compromised, it will only unsecure that operation, but not other operations.

The derivation consists of applying an algorithm with some additional inputs (such as a random seed value) to a password in order to obtain another password that is then used in one secured operation. Of course, the algorithm and its additional inputs must also be shared to enable the computation of the same derived key by someone that is intended to decrypt the message.

Note that passwords are often only composed of alphanumeric characters that eases a bit more the job of a hacker, whereas a derived key is composed of any binary data produced by the algorithm used for the derivation.