NIST SP800-108.pdf

When parties share a secret symmetric key (e.g., upon a successful execution of a key- establishment scheme as specified in [1] and [2]), it is often the case that additional keys will be needed (e.g. as described in [3]). Separate keys may be needed for different cryptographic purposes – for example, one key may be required for an encryption algorithm, while another key is intended for use by an integrity protection algorithm, such as a message authentication code. At other times, the distinct keys required by multiple entities may be generated by a trusted party from a single master key. Key derivation functions are used to derive such keys. 2. Scope and Purpose This Recommendation specifies several families of key derivation functions that use pseudorandom functions. These key derivation functions can be used to derive additional keys from a key that has been established through an automated key-establishment scheme (e.g. as defined in [1] and [2]), or from a pre-shared key (e.g., a manually distributed key). Effectively, the key derivation functions specified in this Recommendation provide the key expansion functionality described in [4], where key derivation is portrayed as a process that potentially requires two separate steps: 1) randomness extraction (to obtain an initial key) and 2) key expansion (to produce additional keys from that initial key and other data). Note that the key-agreement schemes specified in [1] and [2] already incorporate the use of a (hash-based) key derivation function. If the key used as an input to one of the key derivation functions specified in this Recommendation has been established by using one of those key-agreement schemes, then, for all intents and purposes, that key has been obtained by employing one of the key derivation functions defined in [1] and [2] as a randomness extractor.