diff --git a/actix-http/src/cookie/secure/key.rs b/actix-http/src/cookie/secure/key.rs
index 39575c93..2b9a2755 100644
--- a/actix-http/src/cookie/secure/key.rs
+++ b/actix-http/src/cookie/secure/key.rs
@@ -1,13 +1,11 @@
-use ring::digest::{Algorithm, SHA256};
-use ring::hkdf::expand;
-use ring::hmac::SigningKey;
+use ring::hkdf::{HKDF_SHA256, Algorithm, Prk, KeyType};
 use ring::rand::{SecureRandom, SystemRandom};
 
 use super::private::KEY_LEN as PRIVATE_KEY_LEN;
 use super::signed::KEY_LEN as SIGNED_KEY_LEN;
 
-static HKDF_DIGEST: &Algorithm = &SHA256;
-const KEYS_INFO: &str = "COOKIE;SIGNED:HMAC-SHA256;PRIVATE:AEAD-AES-256-GCM";
+static HKDF_DIGEST: Algorithm = HKDF_SHA256;
+const KEYS_INFO: &[&[u8]] = &[b"COOKIE;SIGNED:HMAC-SHA256;PRIVATE:AEAD-AES-256-GCM"];
 
 /// A cryptographic master key for use with `Signed` and/or `Private` jars.
 ///
@@ -25,6 +23,13 @@ pub struct Key {
     encryption_key: [u8; PRIVATE_KEY_LEN],
 }
 
+impl KeyType for &Key {
+    #[inline(always)]
+    fn len(&self) -> usize {
+        SIGNED_KEY_LEN + PRIVATE_KEY_LEN
+    }
+}
+
 impl Key {
     /// Derives new signing/encryption keys from a master key.
     ///
@@ -48,29 +53,27 @@ impl Key {
     ///
     /// let key = Key::from_master(master_key);
     /// ```
-    pub fn from_master(key: &[u8]) -> Key {
-        if key.len() < 32 {
-            panic!(
-                "bad master key length: expected at least 32 bytes, found {}",
-                key.len()
-            );
+    pub fn from_master(master_key: &[u8]) -> Key {
+        if master_key.len() < 32 {
+            panic!("bad master key length: expected >= 32 bytes, found {}", master_key.len());
         }
 
-        // Expand the user's key into two.
-        let prk = SigningKey::new(HKDF_DIGEST, key);
+        // An empty `Key` structure; will be filled in with HKDF derived keys.
+        let mut output_key = Key {
+            signing_key: [0; SIGNED_KEY_LEN],
+            encryption_key: [0; PRIVATE_KEY_LEN]
+        };
+
+        // Expand the master key into two HKDF generated keys.
         let mut both_keys = [0; SIGNED_KEY_LEN + PRIVATE_KEY_LEN];
-        expand(&prk, KEYS_INFO.as_bytes(), &mut both_keys);
+        let prk = Prk::new_less_safe(HKDF_DIGEST, master_key);
+        let okm = prk.expand(KEYS_INFO, &output_key).expect("okm expand");
+        okm.fill(&mut both_keys).expect("fill keys");
 
-        // Copy the keys into their respective arrays.
-        let mut signing_key = [0; SIGNED_KEY_LEN];
-        let mut encryption_key = [0; PRIVATE_KEY_LEN];
-        signing_key.copy_from_slice(&both_keys[..SIGNED_KEY_LEN]);
-        encryption_key.copy_from_slice(&both_keys[SIGNED_KEY_LEN..]);
-
-        Key {
-            signing_key,
-            encryption_key,
-        }
+        // Copy the key parts into their respective fields.
+        output_key.signing_key.copy_from_slice(&both_keys[..SIGNED_KEY_LEN]);
+        output_key.encryption_key.copy_from_slice(&both_keys[SIGNED_KEY_LEN..]);
+        output_key
     }
 
     /// Generates signing/encryption keys from a secure, random source. Keys are
diff --git a/actix-http/src/cookie/secure/private.rs b/actix-http/src/cookie/secure/private.rs
index eb8e9beb..81a5d8f0 100644
--- a/actix-http/src/cookie/secure/private.rs
+++ b/actix-http/src/cookie/secure/private.rs
@@ -1,8 +1,10 @@
 use std::str;
 
 use log::warn;
-use ring::aead::{open_in_place, seal_in_place, Aad, Algorithm, Nonce, AES_256_GCM};
+use ring::aead::{Aad, Algorithm, Nonce, AES_256_GCM};
 use ring::aead::{OpeningKey, SealingKey};
+use ring::OpeningKey::open_in_place;
+use ring::SealingKey::seal_in_place;
 use ring::rand::{SecureRandom, SystemRandom};
 
 use super::Key;
diff --git a/actix-http/src/cookie/secure/signed.rs b/actix-http/src/cookie/secure/signed.rs
index 36a277cd..79bb0803 100644
--- a/actix-http/src/cookie/secure/signed.rs
+++ b/actix-http/src/cookie/secure/signed.rs
@@ -1,5 +1,5 @@
 use ring::digest::{Algorithm, SHA256};
-use ring::hmac::{sign, verify_with_own_key as verify, SigningKey};
+use ring::hmac::{sign, verify, Key};
 
 use super::Key;
 use crate::cookie::{Cookie, CookieJar};
@@ -21,7 +21,7 @@ pub const KEY_LEN: usize = 32;
 /// This type is only available when the `secure` feature is enabled.
 pub struct SignedJar<'a> {
     parent: &'a mut CookieJar,
-    key: SigningKey,
+    key: Key,
 }
 
 impl<'a> SignedJar<'a> {
@@ -32,7 +32,7 @@ impl<'a> SignedJar<'a> {
     pub fn new(parent: &'a mut CookieJar, key: &Key) -> SignedJar<'a> {
         SignedJar {
             parent,
-            key: SigningKey::new(HMAC_DIGEST, key.signing()),
+            key: Key::new(HMAC_DIGEST, key.signing()),
         }
     }