I thought that all key derivation functions would do a key stretching phase, by iterating some kind of process. But I can't see that process in HKDF. HKDF doesn't do key strengthening?
If I have a passphrase as input, and I need, let's say, 1024bytes derived from this passphrase (some bytes for encryption, some bytes for a MAC). What would you recommend? Going directly for PBKDF2? Or using HKDF in some way?
HKDF is a key derivation function: it turns a symmetric key (a bunch of bytes) into another symmetric key, which can be longer (that's the point of the exercise).
Doing multiple inner iterations, to make the function slow, is a defence mechanism which makes sense when the input key is of inherently low entropy -- e.g. when it is a password (that's an unavoidable biological fact: as a storage medium for random-looking data, human brains suck). Deriving a key from a password is a task which is more complex than simply deriving a key from another key. HKDF does not pretend to handle the "password" bit. For that you need PBKDF2, which is password-based (that's the "PB" part) and also uses HMAC, this time with a configurable (and potentially huge) number of iterations.
HKDF is a building block for some cryptographic protocols, not something to use directly.
