Recommendation for key derivation using …

1 NIST Special Publication 800-108 Recommendation for Key derivation using pseudorandom functions ( revised ) Lily Chen Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y October 2009 Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Patrick Gallagher, Deputy Director SP 800-108 Recommendation for Key derivation using pseudorandom functions Abstract This Recommendation specifies techniques for the derivation of additional keying material from a secret key, either established through a key establishment scheme or shared through some other manner, using pseudorandom functions . KEY WORDS: key derivation , pseudorandom function 2SP 800-108 Recommendation for Key derivation using pseudorandom functions Acknowledgements The author, Lily Chen of the National Institute of Standards and Technology (NIST), would like to thank her colleagues, Elaine Barker, William Burr, Quynh Dang, Donna Dodson, Morris Dworkin, Katrin Hoeper, Jim Nechvatal, Tim Polk, Allen Roginsky of NIST, and Rich Davis of National Security Agency, for helpful discussions and valuable comments.

2 The author also gratefully appreciates the thoughtful and instructive comments received during the public comment period, which helped to improve the quality of this publication. 3SP 800-108 Recommendation for Key derivation using pseudorandom functions Authority This document has been developed by the National Institute of Standards and Technology (NIST) in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347. NIST is responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets, but such standards and guidelines shall not apply to national security systems.

3 This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in A-130, Appendix III. This Recommendation has been prepared for use by federal agencies. It may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright. (Attribution would be appreciated by NIST.) Nothing in this Recommendation should be taken to contradict standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority.

4 Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. Conformance testing for implementations of key derivation schemes, as specified in this Recommendation , will be conducted within the framework of the Cryptographic Module Validation Program (CMVP), a joint effort of NIST and the Communications Security Establishment Canada. An implementation of a key derivation function must adhere to the requirements in this Recommendation in order to be validated under the CMVP. The requirements of this Recommendation are indicated by the word shall. 4SP 800-108 Recommendation for Key derivation using pseudorandom functions Table of Contents 1.

5 6 2. Scope and 6 3. Definitions, Symbols and 6 6 Symbols and 8 4. pseudorandom Function (PRF).. 9 5. Key derivation functions (KDF).. 10 KDF in Counter 12 KDF in Feedback 13 KDF in Double-Pipeline Iteration 14 6. Key 16 7. Security 16 Cryptographic 16 The Length of the Key derivation 17 Converting Keying Material to Cryptographic 17 Input Data 18 Key 18 Context 19 Appendix A: References (Informative).. 20 Appendix B: Revision 21 Figures Figure 1: KDF in Counter 13 Figure 2: KDF in Feedback 14 Figure 3: KDF in Double-Pipeline Iteration 15 Figure 4: Key 16 5SP 800-108 Recommendation for Key derivation using pseudorandom functions 1. Introduction When parties share a secret symmetric key ( , upon a successful execution of a key- establishment scheme as specified in [1] and [2]), it is often the case that additional keys will be needed ( as described in [3]).

6 Separate keys may be needed for different cryptographic purposes for example, one key may be required for an encryption algorithm, while another key is intended for use by an integrity protection algorithm, such as a message authentication code. At other times, the distinct keys required by multiple entities may be generated by a trusted party from a single master key. Key derivation functions are used to derive such keys. 2. Scope and Purpose This Recommendation specifies several families of key derivation functions that use pseudorandom functions . These key derivation functions can be used to derive additional keys from a key that has been established through an automated key-establishment scheme ( as defined in [1] and [2]), or from a pre-shared key ( , a manually distributed key).

7 Effectively, the key derivation functions specified in this Recommendation provide the key expansion functionality described in [4], where key derivation is portrayed as a process that potentially requires two separate steps: 1) randomness extraction (to obtain an initial key) and 2) key expansion (to produce additional keys from that initial key and other data). Note that the key-agreement schemes specified in [1] and [2] already incorporate the use of a (hash-based) key derivation function. If the key used as an input to one of the key derivation functions specified in this Recommendation has been established by using one of those key-agreement schemes, then, for all intents and purposes, that key has been obtained by employing one of the key derivation functions defined in [1] and [2] as a randomness extractor.

8 3. Definitions, Symbols and Abbreviations Definitions Approved FIPS approved or NIST Recommended. An algorithm or technique that is either 1) specified in a FIPS or NIST Recommendation , or 2) adopted in a FIPS or NIST Recommendation or 3) specified in a list of NIST Approved security functions . Cryptographic key A binary string used as a secret parameter by a cryptographic algorithm. In this Recommendation , a cryptographic key shall be either a truly random binary string of a length specified by the cryptographic algorithm or a pseudorandom binary string of the specified length that is computationally indistinguishable from one selected uniformly at random from the set of all binary strings of that length.

9 Entity An individual (person), organization, device or a combination thereof. Party is a synonym. In this Recommendation , an entity may be a functional unit that executes certain processes. 6SP 800-108 Recommendation for Key derivation using pseudorandom functions Hash function A function that maps a bit string of arbitrary length to a fixed length bit string. Approved hash functions are designed to satisfy the following properties: 1. (One-way) It is computationally infeasible to find any input that maps to any pre-specified output, and 2. (Collision resistant) It is computationally infeasible to find any two distinct inputs that map to the same output. Approved hash functions are specified in FIPS 180-3 [6].

10 Key derivation The process that derives keying material from a key. Key derivation function A function that, with the input of a cryptographic key and other data, generates a binary string, called keying material. Key derivation key A key used as an input to a key derivation function to derive other keys. Key- establishment A procedure, conducted by two or more participants, after which the resultant keying material is shared by all participants. Key hierarchy A key hierarchy is a multiple-level tree structure, such that each node represents a key, and each branch, pointing from one node to another, indicates a key derivation from one key to another key. Keying material A binary string, such that any non-overlapping segments of the string with the required lengths can be used as symmetric cryptographic keys.