]>
CMAC-based Extract-and-Expand Key Derivation Function (CKDF)Google Incagl@google.com
Security
KDFHKDFCKDFCMAC
This memo describes a KDF based on AES-CMAC.
The HKDF key derivation function, described in , is currently the de-facto KDF for use in a variety of protocols. However, in hardware orientated designs, significant space savings can be achieved if the underlying primitive is AES rather than a cryptographic hash function.The memo specifies CKDF, the CMAC-based Key Derivation Function. It is, succinctly, HKDF but with HMAC replaced by CMAC .CKDF follows exactly the same structure as but HMAC-Hash is replaced by the function AES-CMAC throughout. The AES-CMAC function also takes two arguments: the first is a 16 byte key and the second is an input. It returns the AES-CMAC MAC of the input using the given key as an AES key.Thus, following HKDF, the CKDF-Extract(salt, IKM) function takes an optional, 16-byte salt and an arbitrary-length "input keying material" (IKM) message. If no salt is given, the 16-byte, all-zero value is used. It returns the result of AES-CMAC(key = salt, input = IKM), called the "pseudorandom key" (PRK), which will be 16 bytes long.Likewise, the CKDF-Expand(PRK, info, L) function takes the PRK result from CKDF-Extract, an arbitrary "info" argument and a requested number of bytes to produce. It calculates the L-byte result, called the "output keying material" (OKM), as:(where the constant concatenated to the end of each T(n) is a single octet.)Note that AES-CMAC in is only defined for AES-128 and likewise, so is CKDF. However, the dependency on AES-128 is stronger here because the length of the PRK from CKDF-Extract is the AES blocksize of 128 bits. Thus, if one wished to use AES-256 in the future, the PRK would, somehow, need to be 256 bits. Given the complexities of this, those wishing a higher security level should instead use HKDF with a suitable hash function.This section contains test vectors for the CKDF-Extract function.This section contains test vectors for the CKDF-Expand function.Since CKDF is so closely based on HKDF, the security considerations are the same and sections 3, 4 and 5 of are included here by reference.
None.
&RFC4493;
&RFC5869;
&RFC2104;