HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
RFC 5869
| Document | Type |
RFC - Informational
(May 2010; Errata)
Was draft-krawczyk-hkdf (individual in sec area)
|
|
|---|---|---|---|
| Last updated | 2017-10-20 | ||
| Stream | IETF | ||
| Formats | plain text pdf html bibtex | ||
| Reviews | |||
| Stream | WG state | (None) | |
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 5869 (Informational) | |
| Consensus Boilerplate | Unknown | ||
| Telechat date | |||
| Responsible AD | Tim Polk | ||
| Send notices to | (None) | ||
Internet Engineering Task Force (IETF) H. Krawczyk
Request for Comments: 5869 IBM Research
Category: Informational P. Eronen
ISSN: 2070-1721 Nokia
May 2010
HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
Abstract
This document specifies a simple Hashed Message Authentication Code
(HMAC)-based key derivation function (HKDF), which can be used as a
building block in various protocols and applications. The key
derivation function (KDF) is intended to support a wide range of
applications and requirements, and is conservative in its use of
cryptographic hash functions.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc5869.
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Krawczyk & Eronen Informational [Page 1]
RFC 5869 Extract-and-Expand HKDF May 2010
1. Introduction
A key derivation function (KDF) is a basic and essential component of
cryptographic systems. Its goal is to take some source of initial
keying material and derive from it one or more cryptographically
strong secret keys.
This document specifies a simple HMAC-based [HMAC] KDF, named HKDF,
which can be used as a building block in various protocols and
applications, and is already used in several IETF protocols,
including [IKEv2], [PANA], and [EAP-AKA]. The purpose is to document
this KDF in a general way to facilitate adoption in future protocols
and applications, and to discourage the proliferation of multiple KDF
mechanisms. It is not intended as a call to change existing
protocols and does not change or update existing specifications using
this KDF.
HKDF follows the "extract-then-expand" paradigm, where the KDF
logically consists of two modules. The first stage takes the input
keying material and "extracts" from it a fixed-length pseudorandom
key K. The second stage "expands" the key K into several additional
pseudorandom keys (the output of the KDF).
In many applications, the input keying material is not necessarily
distributed uniformly, and the attacker may have some partial
knowledge about it (for example, a Diffie-Hellman value computed by a
key exchange protocol) or even partial control of it (as in some
entropy-gathering applications). Thus, the goal of the "extract"
stage is to "concentrate" the possibly dispersed entropy of the input
keying material into a short, but cryptographically strong,
pseudorandom key. In some applications, the input may already be a
good pseudorandom key; in these cases, the "extract" stage is not
necessary, and the "expand" part can be used alone.
The second stage "expands" the pseudorandom key to the desired
length; the number and lengths of the output keys depend on the
specific cryptographic algorithms for which the keys are needed.
Note that some existing KDF specifications, such as NIST Special
Publication 800-56A [800-56A], NIST Special Publication 800-108
[800-108] and IEEE Standard 1363a-2004 [1363a], either only consider
the second stage (expanding a pseudorandom key), or do not explicitly
differentiate between the "extract" and "expand" stages, often
resulting in design shortcomings. The goal of this specification is
to accommodate a wide range of KDF requirements while minimizing the
assumptions about the underlying hash function. The "extract-then-
expand" paradigm supports well this goal (see [HKDF-paper] for more
Show full document text