One document matched: draft-agl-ckdf-01.xml
<?xml version="1.0"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd"[
<!ENTITY RFC2104 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2104.xml'>
<!ENTITY RFC4493 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4493.xml'>
<!ENTITY RFC5869 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5869.xml'>
<!ENTITY RFC5869 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5869.xml'>
]>
<?rfc toc="yes" symrefs="yes"?>
<rfc category="info" ipr="trust200902" docName="draft-agl-ckdf-01">
<front>
<title abbrev="CKDF">CMAC-based Extract-and-Expand Key Derivation Function (CKDF)</title>
<author initials="A." surname="Langley" fullname="Adam Langley">
<organization>Google Inc</organization>
<address>
<email>agl@google.com</email>
</address>
</author>
<date month="Aug" year="2015" />
<area>Security</area>
<keyword>KDF</keyword>
<keyword>HKDF</keyword>
<keyword>CKDF</keyword>
<keyword>CMAC</keyword>
<abstract>
<t>
This memo describes a KDF based on AES-CMAC.
</t>
</abstract>
</front>
<middle>
<section title="Introduction" anchor="intro">
<t>The HKDF key derivation function, described in <xref target="RFC5869"/>, is currently the de-facto KDF for use in a variety of protocols. However, in hardware orientated designs, significant space savings can be achieved if the underlying primitive is AES rather than a cryptographic hash function.</t>
<t>The memo specifies CKDF, the CMAC-based Key Derivation Function. It is, succinctly, HKDF but with HMAC <xref target="RFC2104"/> replaced by CMAC <xref target="RFC4493"/>.</t>
</section>
<section title="CKDF">
<t>CKDF follows exactly the same structure as <xref target="RFC5869"/> but <spanx style="verb">HMAC-Hash</spanx> is replaced by the function <spanx style="verb">AES-CMAC</spanx> throughout. The <spanx style="verb">AES-CMAC</spanx> function also takes two arguments: the first is a 16 byte key and the second is an input. It returns the AES-CMAC MAC of the input using the given key as an AES key.</t>
<t>Thus, following HKDF, the <spanx style="verb">CKDF-Extract(salt, IKM)</spanx> function takes an optional, 16-byte salt and an arbitrary-length "input keying material" (IKM) message. If no salt is given, the 16-byte, all-zero value is used. It returns the result of <spanx style="verb">AES-CMAC(key = salt, input = IKM)</spanx>, called the "pseudorandom key" (PRK), which will be 16 bytes long.</t>
<t>Likewise, the <spanx style="verb">CKDF-Expand(PRK, info, L)</spanx> function takes the PRK result from <spanx style="verb">CKDF-Extract</spanx>, an arbitrary "info" argument and a requested number of bytes to produce. It calculates the L-byte result, called the "output keying material" (OKM), as:</t>
<figure>
<artwork>
N = ceil(L/16)
T = T(1) | T(2) | T(3) | ... | T(N)
OKM = first L octets of T
where:
T(0) = empty string (zero length)
T(1) = AES-CMAC(PRK, T(0) | info | 0x01)
T(2) = AES-CMAC(PRK, T(1) | info | 0x02)
T(3) = AES-CMAC(PRK, T(2) | info | 0x03)
...</artwork>
</figure>
<t>(where the constant concatenated to the end of each T(n) is a single octet.)</t>
<t>Note that AES-CMAC in <xref target="RFC4493"/> is only defined for AES-128 and likewise, so is CKDF. However, the dependency on AES-128 is stronger here because the length of the PRK from <spanx style="verb">CKDF-Extract</spanx> is the AES blocksize of 128 bits. Thus, if one wished to use AES-256 in the future, the PRK would, somehow, need to be 256 bits. Given the complexities of this, those wishing a higher security level should instead use HKDF with a suitable hash function.</t>
</section>
<section title="Test Vectors">
<section title="CKDF-Extract">
<t>This section contains test vectors for the <spanx style="verb">CKDF-Extract</spanx> function.</t>
<figure>
<artwork>
# These two test vectors are from RFC4493, section 4
Salt: 2b7e1516 28aed2a6 abf71588 09cf4f3c
IKM: (empty)
PRK: bb1d6929 e9593728 7fa37d12 9b756746
Salt: 2b7e1516 28aed2a6 abf71588 09cf4f3c
IKM: 6bc1bee2 2e409f96 e93d7e11 7393172a
PRK: 070a16b4 6b4d4144 f79bdd9d d04a287c
Salt: (none)
IKM: 73656372 6574206b 6579
PRK: 6f79b401 ea761a01 00b7ca60 c178b69d</artwork>
</figure>
</section>
<section title="CKDF-Expand">
<t>This section contains test vectors for the <spanx style="verb">CKDF-Expand</spanx> function.</t>
<figure>
<artwork>
PRK: 6f79b401 ea761a01 00b7ca60 c178b69d
Info: (empty)
L: 32
OKM: 922da31d 7e1955f0 6a56464b 5feb7032 8f7e6f60 aaea5735
c2772e33 17d0a288
PRK: 6f79b401 ea761a01 00b7ca60 c178b69d
Info: 696e666f 20737472 696e67
L: 256
OKM: 6174e672 12e1234b 6e05bfd3 1043422c df1e34cd 29ee09f5
bd5edb90 db39dcd4 c301e873 d91acbd5 333c8701 6dda05be
3a8faade 2c3992c8 f3221f05 5efb3b51 76dbbe76 90cb4400
f737298d 638b8026 d527c1e5 81f4e37d a0499c31 abfd8908
207160de 343c126e cb460e38 8481fa9f 73391fe6 35a0e4b6
cde3d385 78bcb8b5 5a60952b ac6f840f d87c397a c2477992
ac6cbd64 3100e3ca d660373b 44e2fc0e 4867b15a cd9a070a
3229ee40 76bf9851 7ccc656f 5bf1f8bb 41ce7e2d 48db670f
1b2921ee 462d9cf1 987eb983 e5c2ce4e a9ceea10 c301dcca
f16c4b57 67daa4bf 6ecc8161 77da31a5 9a9b1972 86259bd6
598d2874 a4f605fb 877bee1b 5529873f</artwork>
</figure>
</section>
</section>
<section title="Security Considerations">
<t>Since CKDF is so closely based on HKDF, the security considerations are the same and sections 3, 4 and 5 of <xref target="RFC5869"/> are included here by reference.</t>
</section>
<section title="IANA Considerations">
<t>
None.
</t>
</section>
</middle>
<back>
<references title="Normative References">
&RFC4493;
&RFC5869;
</references>
<references title="Informative References">
&RFC2104;
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-23 14:21:18 |