On Extract-then-Expand Key Derivation Functions
and an HMAC-based KDF (HKDF)

by Hugo Krawczyk

HMAC-based KDF:

In spite of their central security role in any cryptographic system, the design of multi-purpose key derivation functions (KDF) has traditionally been carried in ad-hoc ways with little analytical foundation. This is especially true for KDFs based on cryptographic hash functions (which is the most common case in practice) where hash functions are "abused" by assuming that they behave as perfect random functions. Our opinion is that:

Given the current (healthy) skepticism about the strength of our hash functions we must strive to design schemes that use the hash function as prudently as possible.

Research results obtained in recent years point out to the advantages of building KDF functions based on HMAC rather than on plain hash functions as traditional schemes do.
In particular, these results show that an HMAC-based KDF can be founded on weaker assumptions on the underlying hash function. This is analogous to the use of HMAC as PRF that has been favored in the last 10 years over plain-hash PRFs especially due to HMAC's better resilience to weaknesses in the underlying hash function (e.g., collision attacks).

Based on such results we propose HKDF, a fully-specified HMAC-based KDF, that can serve multiple applications under a wide variety of requirements and under relaxed assumptions on the hash functions. We accompany this proposal with a VERY detailed rationale and analysis, and a thorough comparison with existing alternatives. In particular, the proposed scheme follows the extract-then-expand paradigm for KDF design that we discuss in great detail.

The proposal is intended to address two important and timely needs of crypto applications:

(i) Providing a single hash-based KDF design that can be standardized for use in multiple and diverse applications, and
(ii) Providing a conservative, yet efficient, design that exercises much care in the way it utilizes a cryptographic hash function.

We offer this proposal for consideration by NIST and the IETF and any other interested parties or standard bodies.

NEW!! HKDF specification has been published as RFC 5869

The paper: .

The full details and rationale of the scheme are presented in the paper Cryptographic Extraction and Key Derivation: The HKDF Scheme (to appear in Crypto'2010)

For those interested in the specification only, please see RFC 5869 and Section 4.2 of the above paper (and the schematic figure below). An earlier version of the paper containing less formal rationale is also available .

Definition of HKDF: Figure 1 shows the proposed HMAC-based KDF. Please refer to Section 4.2 of the paper for full details.