HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
RFC 5869

Document Type RFC - Informational (May 2010; Errata)
Was draft-krawczyk-hkdf (individual in sec area)
Authors Hugo Krawczyk  , Pasi Eronen 
Last updated 2017-10-20
Stream Internet Engineering Task Force (IETF)
Formats plain text html pdf htmlized (tools) htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 5869 (Informational)
Action Holders
Consensus Boilerplate Unknown
Telechat date
Responsible AD Tim Polk
Send notices to (None)
Internet Engineering Task Force (IETF)                       H. Krawczyk
Request for Comments: 5869                                  IBM Research
Category: Informational                                        P. Eronen
ISSN: 2070-1721                                                    Nokia
                                                                May 2010

      HMAC-based Extract-and-Expand Key Derivation Function (HKDF)


   This document specifies a simple Hashed Message Authentication Code
   (HMAC)-based key derivation function (HKDF), which can be used as a
   building block in various protocols and applications.  The key
   derivation function (KDF) is intended to support a wide range of
   applications and requirements, and is conservative in its use of
   cryptographic hash functions.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at

Copyright Notice

   Copyright (c) 2010 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Krawczyk & Eronen             Informational                     [Page 1]
RFC 5869                 Extract-and-Expand HKDF                May 2010

1.  Introduction

   A key derivation function (KDF) is a basic and essential component of
   cryptographic systems.  Its goal is to take some source of initial
   keying material and derive from it one or more cryptographically
   strong secret keys.

   This document specifies a simple HMAC-based [HMAC] KDF, named HKDF,
   which can be used as a building block in various protocols and
   applications, and is already used in several IETF protocols,
   including [IKEv2], [PANA], and [EAP-AKA].  The purpose is to document
   this KDF in a general way to facilitate adoption in future protocols
   and applications, and to discourage the proliferation of multiple KDF
   mechanisms.  It is not intended as a call to change existing
   protocols and does not change or update existing specifications using
   this KDF.

   HKDF follows the "extract-then-expand" paradigm, where the KDF
   logically consists of two modules.  The first stage takes the input
   keying material and "extracts" from it a fixed-length pseudorandom
   key K.  The second stage "expands" the key K into several additional
   pseudorandom keys (the output of the KDF).

   In many applications, the input keying material is not necessarily
   distributed uniformly, and the attacker may have some partial
   knowledge about it (for example, a Diffie-Hellman value computed by a
   key exchange protocol) or even partial control of it (as in some
   entropy-gathering applications).  Thus, the goal of the "extract"
   stage is to "concentrate" the possibly dispersed entropy of the input
   keying material into a short, but cryptographically strong,
   pseudorandom key.  In some applications, the input may already be a
   good pseudorandom key; in these cases, the "extract" stage is not
   necessary, and the "expand" part can be used alone.

   The second stage "expands" the pseudorandom key to the desired
   length; the number and lengths of the output keys depend on the
   specific cryptographic algorithms for which the keys are needed.

   Note that some existing KDF specifications, such as NIST Special
   Publication 800-56A [800-56A], NIST Special Publication 800-108
   [800-108] and IEEE Standard 1363a-2004 [1363a], either only consider
   the second stage (expanding a pseudorandom key), or do not explicitly
   differentiate between the "extract" and "expand" stages, often
   resulting in design shortcomings.  The goal of this specification is
   to accommodate a wide range of KDF requirements while minimizing the
   assumptions about the underlying hash function.  The "extract-then-
   expand" paradigm supports well this goal (see [HKDF-paper] for more
Show full document text