NIST Special Publication 800-108 Recommendation for Key Derivation Using Pseudorandom Functions (Revised) Lily Chen Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y October 2009 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Patrick Gallagher, Deputy Director SP 800-108 Recommendation for Key Derivation Using Pseudorandom Functions Abstract This Recommendation specifies techniques for the derivation of additional keying material from a secret key, either established through a key establishment scheme or shared through some other manner, using pseudorandom functions. KEY WORDS: key derivation, pseudorandom function 2 SP 800-108 Recommendation for Key Derivation Using Pseudorandom Functions Acknowledgements The author, Lily Chen of the National Institute of Standards and Technology (NIST), would like to thank her colleagues, Elaine Barker, William Burr, Quynh Dang, Donna Dodson, Morris Dworkin, Katrin Hoeper, Jim Nechvatal, Tim Polk, Allen Roginsky of NIST, and Rich Davis of National Security Agency, for helpful discussions and valuable comments. The author also gratefully appreciates the thoughtful and instructive comments received during the public comment period, which helped to improve the quality of this publication. 3 SP 800-108 Recommendation for Key Derivation Using Pseudorandom Functions Authority This document has been developed by the National Institute of Standards and Technology (NIST) in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347. NIST is responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets, but such standards and guidelines shall not apply to national security systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in A-130, Appendix III. This Recommendation has been prepared for use by federal agencies. It may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright. (Attribution would be appreciated by NIST.) Nothing in this Recommendation should be taken to contradict standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. Conformance testing for implementations of key derivation schemes, as specified in this Recommendation, will be conducted within the framework of the Cryptographic Module Validation Program (CMVP), a joint effort of NIST and the Communications Security Establishment Canada. An implementation of a key derivation function must adhere to the requirements in this Recommendation in order to be validated under the CMVP. The requirements of this Recommendation are indicated by the word “shall.” 4 SP 800-108 Recommendation for Key Derivation Using Pseudorandom Functions Table of Contents 1. Introduction........................................................................................ 6 2. Scope and Purpose ............................................................................. 6 3. Definitions, Symbols and Abbreviations........................................... 6 3.1 Definitions................................................................................................ 6 3.2 Symbols and Abbreviations ..................................................................... 8 4. Pseudorandom Function (PRF).......................................................... 9 5. Key Derivation Functions (KDF) .................................................... 10 5.1 KDF in Counter Mode ........................................................................... 12 5.2 KDF in Feedback Mode......................................................................... 13 5.3 KDF in Double-Pipeline Iteration Mode................................................ 14 6. Key Hierarchy.................................................................................. 16 7. Security Considerations ................................................................... 16 7.1 Cryptographic Strength.......................................................................... 16 7.2 The Length of the Key Derivation Key.................................................. 17 7.3 Converting Keying Material to Cryptographic Keys............................. 17 7.4 Input Data Encoding .............................................................................. 18 7.5 Key Separation....................................................................................... 18 7.6 Context Binding ..................................................................................... 19 Appendix A: References (Informative) ........................................................ 20 Appendix B: Revision History...................................................................... 21 Figures Figure 1: KDF in Counter Mode................................................................................................... 13 Figure 2: KDF in Feedback Mode ................................................................................................ 14 Figure 3: KDF in Double-Pipeline Iteration Mode....................................................................... 15 Figure 4: Key Hierarchy................................................................................................................ 16 5 SP 800-108 Recommendation for Key Derivation Using Pseudorandom Functions 1. Introduction When parties share a secret symmetric key (e.g., upon a successful execution of a key- establishment scheme as specified in [1] and [2]), it is often the case that additional keys will be needed (e.g. as described in [3]). Separate keys may be needed for different cryptographic purposes – for example, one key may be required for an encryption algorithm, while another key is intended for use by an integrity protection algorithm, such as a message authentication code. At other times, the distinct keys required by multiple entities may be generated by a trusted party from a single master key. Key derivation functions are used to derive such keys. 2. Scope and Purpose This Recommendation specifies several families of key derivation functions that use pseudorandom functions. These key derivation functions can be used to derive additional keys from a key that has been established through an automated key-establishment scheme (e.g. as defined in [1] and [2]), or from a pre-shared key (e.g., a manually distributed key). Effectively, the key derivation functions specified in this Recommendation provide the key expansion functionality described in [4], where key derivation is portrayed as a process that potentially requires two separate steps: 1) randomness extraction (to obtain an initial key) and 2) key expansion (to produce additional keys from that initial key and other data). Note that the key-agreement schemes specified in [1] and [2] already incorporate the use of a (hash-based) key derivation function. If the key used as an input to one of the key derivation functions specified in this Recommendation has been established by using one of those key-agreement schemes, then, for all intents and purposes, that key has been obtained by employing one of the key derivation functions defined in [1] and [2] as a randomness extractor. 3. Definitions, Symbols and Abbreviations 3.1 Definitions Approved FIPS approved or NIST Recommended. An algorithm or technique that is either 1) specified in a FIPS or NIST Recommendation, or 2) adopted in a FIPS or NIST Recommendation or 3) specified in a list of NIST Approved security functions. Cryptographic A binary string used as a secret parameter by a cryptographic key algorithm. In this Recommendation, a cryptographic key shall be either a truly random binary string of a length specified by the cryptographic algorithm or a pseudorandom binary string of the specified length that is computationally indistinguishable from one selected uniformly at random from the set of all binary strings of that length. Entity An individual (person), organization, device or a combination thereof. “Party” is a synonym. In this Recommendation, an entity may be a functional unit that executes certain processes. 6 SP 800-108 Recommendation for Key Derivation Using Pseudorandom Functions Hash function A function that maps a bit string of arbitrary length to a fixed length bit string. Approved hash functions are designed to satisfy the following properties: 1. (One-way) It is computationally infeasible to find any input that maps to any pre-specified output, and 2. (Collision resistant) It is computationally infeasible to find any two distinct inputs that map to the same output. Approved hash functions are specified in FIPS 180-3 [6]. Key derivation The process that derives keying material from a key. Key derivation A function that, with the input of a cryptographic key and other data, function generates a binary string, called keying material. Key derivation A key used as an input to a key derivation function to derive other key keys. Key- A procedure,